More than 90% of firms participating in a health care data security study have had a data breach, and 40% have had more than five, over the past two years, according to a study by the Ponemon Institute L.L.C.

A total of 90 health care organizations and 88 business associates participated in the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted over a four-week period between Feb. 18 2015 and March 20, 2015 by the Traverse City, Michigan-based Ponemon think tank on data protection policy and sponsored by Portland, Oregon-based ID Experts.

The study, released Wednesday, estimated that data breaches could be costing the health care industry $6 billion annually and that the average cost of a data breach for a health care organization is $2.1 million. The average cost of a data breach to business associates represented in the research is more than $1 million, according to the study.

Criminal attacks are the biggest cause of data breaches in health care, according to the study, with a 125% increase compared with five years ago, and 45% of health care organizations say a criminal attack was the root cause of the data breach.

“We are seeing a shift in the causes of data breaches in the health care industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the No.1 cause,” said Ponemon founder and Chairman Larry Ponemon in a statement. “Since first conducting this study, health care providers are starting to make investments to protect patient information, which need to keep pace with the growing cyber threats.”

However, 56% of health care organizations and 59% of business associates do not believe their incident response process has adequate funding and resources, according to the study.

“In addition, the majority of both types of organizations fail to perform a risk assessment for security incidents, despite the federal mandate to do so,” the study said.