Ninety-four percent of health care organizations have suffered at least one data breach over the past two years, and 45% have suffered more than five such incidents, according to a study released Thursday by the Ponemon Institute.

The information breached is largely medical files and billing and insurance records, according to the Traverse City, Mich.-based Ponemon.

The study of the participating 80 health care organizations found that 54% of organizations have little or no confidence they can detect patient data loss or theft.

Other results reported in the “Third Annual Benchmark Study on Patient Privacy and Data Security,” which was sponsored by Portland, Ore.-based ID Experts Corp., include:

• The average economic impact of a data breach over the past two years for the health care organizations participating in the study was $2.4 million, an increase of almost $400,000 since the study was first conducted in 2010.

• The average number of lost or stolen records per breach is 2,769.

• The top three causes of data breaches are lost or stolen computing devices, employee mistakes and third-party snafus.

• Fifty-two percent discovered the breach as a result of an audit or assessment.

• Eighty-one percent permit employees and medical staff to use their own mobile devices such as smartphones and tablets to connect to their organization's networks or enterprise systems, but 54% say they are not confident these devices are secure.

• Ninety-one percent of hospitals surveyed use cloud-based services, but 47% say they do not have confidence in the ability to keep data secure in the cloud.

“Health care organizations need to strengthen their privacy and security posture if they are to reduce the number of data breaches occurring in their organizations,” says the study.

%%BREAK%%

Among the study's recommendation are that health care organizations consider elevating the chief privacy and security role from the hierarchal organization to one that reports directly to the board of directors, and conducting annual privacy and security risk assessments.

Discussing the study, Doug Pollack, ID Experts chief strategy officer, said, “The trend here is toward data breaches becoming more of a day-to-day activity that health care organizations need to deal with, as opposed to a kind of once-in-a-lifetime phenomenon.”

He said while a year ago, “the technical issues that were of greatest threat” were unencrypted laptops and portable media such as thumb drives and backup tapes, “this year, it seems to be all about personal mobile devices and moving information into the cloud.”

“Each year, there's new technological areas that are making it extremely difficult for the information and security and privacy folks in health care organizations to ... manage those risks as effectively as they'd like,” he said.

Mr. Pollack said part of the problem is, when comparing the health care industry to the financial services industry, “most people put them about a decade behind in terms of the effectiveness of their security posture.”

But there are also factors involved that are unique to the health care industry, including the “extreme sensitivity “of the data involved and that “health care is all about effectively making patient information immediately available at the point of service.”

As a result, in hospitals and other health care settings, “data is being moved around to so many different people for so many different purposes, it makes it much more difficult within those environments to avoid the accidental or other disclosure of this information,” he said.

Unfortunately, said Mr. Pollack, health care organizations “don't have the senior management oversight and the level of budget and resources that's necessary to put a big dent in the patient privacy issue.”

Copies of the report are available http://www2.idexpertscorp.com/ponemon2012/ here.