On May 7, 2015, the Ponemon Institute released its Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data (the “Study”), which surveyed 90 HIPAA covered entities and 88 business associates regarding their privacy and security practices and experience with data breaches.  The survey revealed a high prevalence of data breaches, finding that more than 90% of the survey subjects had experienced a data breach, and 40% of respondents had experienced more than five data breaches over the past two years.  The Survey pegged the average cost to covered entities of a data breach at more than $2.1 million, with the average cost to business associates at more than $1 million.

Key Study observations included the following:

  • The most frequent root cause of data breaches has shifted from lost or stolen portable devices to criminal attacks.
  • Organizations are relatively satisfied with policies and procedures but are less confident that they have the technology and other resources needed quickly to detect unauthorized data access.
  • Organizations tend to fear employee negligence as the greatest privacy and security threat, followed by cyber-attacks.

According to the Study, HIPAA covered entities and business associates are gradually increasing their budgets and resources to protect healthcare data, but many believe investment is lagging behind what is needed to meet current data security threats.