A list of data breaches maintained by the Privacy Rights Clearinghouse includes a variety of breaches at healthcare facilities, where personal information such as medical records or prescription drug information was compromised.

Now a study from the Ponemon Institute finds that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected.

Hat tip to the Wall Street Journal Health blog for highlighting the study.

According to its findings, the impact of a data breach over a two-year period is around $2 million per organization and the lifetime value of a lost patient is $107,580.

The average organization had 2.4 data breach incidents over the past two years. Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error.

Given the rising exposure, you’d think hospitals and other healthcare facilities would be taking steps to protect patient data. Not so.

The research shows that protecting patient data is a low priority for hospitals and that organizations have little confidence in their ability to secure patient records.

Some 58 percent of organizations have little or no confidence in their ability to appropriately secure patient records, while 70 percent of hospitals said that protecting patient data is not a priority.

This is despite the fact that the HITECH Act, enacted in 2009, widened the scope of privacy and security protections under HIPAA to provide stronger safeguards for patient data. This includes notification to patients when their information is breached.

Unfortunately, the majority (71 percent) of respondents do not believe the HITECH Act regulations have significantly changed the management practices of patient records.

Rick Kam, president and co-founder of ID Experts (sponsors of the study) says:

We talk with healthcare compliance people dealing with data breach risks every day and they just can’t get their arms around the problem of data exposure. Unfortunately, in healthcare organizations, patient revenue trumps risk management.”

Check out I.I.I. info on ID theft.