Last week Grady Memorial Hospital in Atlanta revealed that 900 ambulance patients might have had their personal information stolen by an employee of the company who runs the hospital's billing system. Investigators are trying to figure out whether the information, which included social security numbers, was used for any illegal purpose.

The data breach might be an inconvenience for Grady and its patients, but it's not an uncommon one. Grady is actually in rather large company. About nine in 10 surveyed U.S. hospitals have had a data breach over the past two years, with close to half reporting more than 5 breaches, according to a new report released Thursday by the Ponemon Institute. Some 2,800 records are compromised, on average, per breach, Ponemon said.

And the data leakage is not cheap. Ponemon reckons the average economic impact of a breach to a health care organization every year reaches $1.2 million, meaning the total hit to the U.S. health care system because of stolen laptops, hacked servers or lost thumb drives is estimated to be almost $7 billion.

Rick Kam, co-founder and president of ID Experts, an identity theft protection firm which sponsored the report, said the cost of a breach is not just the direct costs of legal bills. For big institutions, it also includes lost revenue from patients going to a different center for treatment after getting spooked by your breach. The lifetime value of a patient to a health system is calculated at around $107,000, he said.

"If the organization is a high profile organization like a Kaiser or a Johns Hopkins, much of their cost can be in lost opportunities," he told DOTmed News.

Crimes and misdemeanors

The study also found criminal attacks are on the rise. Cyber break-ins were reported by 20 percent of respondents as a cause of a breach in 2010, a number that has grown to 33 percent this year. The reason for the change? No one's sure, but Ponemon Institute founder and chairman Larry Ponemon said crooks might realize health care organizations are more vulnerable than other sorts of businesses. Also, purloined medical identity has a lot of street value. Kam said he heard it was worth about 50 times what a social security number could bring.

Medical identity theft — that is, using someone's health insurance number or other identifying information to get health care services — can be used to score prescription drugs, for instance. In the report, Ponemon found over half of the organizations had experienced an ID theft. All told, Kam estimated that about 1.85 million Americans were affected by medical ID theft this year — a pool of victims about as large as the population of Philadelphia.

More Industry Headlines