Data breaches are notorious for the financial, legal, andreputational damage they can inflict on an organization and itscustomers. The unintentional exposure of a social security numberor financial information raises the risk for identity theft andincreases organization vulnerability for lawsuits, fines and lostbusiness.

These risks are especially troubling for healthcare providers,since data breachesin this sector are up 32 percent since 2010, according to a newbenchmark study by the Ponemon Institute. And healthcare databreaches are expensive, costing the industry an estimated $6.5billion.

At the same time, Moody'sreports that the median revenue growth rate for hospitals is only 4percent, its lowest in 20 years, and long-term revenue growthis expected to decline.

With this dismal financial outlook, it is safe to predict thatdata breaches are likely to increase: 73 percent of respondents inthe Ponemon study reported lacking sufficient resources to preventor detect unauthorized patient data access, loss, or theft. Infact, 53 percent of organizations cite lack of budget as theirbiggest weakness in preventing data breaches.

Read After'Year of the Data Breach,' Carriers Increase Capacity, Competitionfor Cyber Risks

What's more, the unique nature of informationcompromised—medical records and other health information—posedistinct threats to both providers and patients, and thereforerequire special care. These risks include:

1. The physical dangers to patients. Medicalidentity theft occurs when a patient's credentials are used toobtain medical goods and services or to bill for medical goods andservices that the owner of these credentials did not receive.Victims of medical identity theft are susceptible not only tofinancial damages, but also face threats to their health. Patientscan be denied treatment because of maxed-out benefits, bemisdiagnosed because of record polluting (when a victim's recordsare merged with a thief using the same identity), can be deniedinsurance, or face embarrassment because of the exposure ofsensitive information, such as mental health records.
2. The unique requirements of the patientpopulation. According to the Ponemon study, a patient hasan average lifetime value of more than $113,000—high stakes forhealthcare providers. But meeting the varying needs of patientsaffected by a data breach is not easy. Many are minors, elderly ordisabled, or face mental health challenges. Because of this, customservices, such as specialized call center agents, may berequired.
3. The need for specialized identity monitoring.Many data breach response vendors, credit bureaus and providers ofcyber insurance typically offer credit monitoring to those affectedby a data breach. Victims of a healthcare data breach, however,require medical identity monitoring, a service which tracka patient's insurance numbers and other medical information. Creditmonitoring does not provide notification of medical identity theft.
4. The move to electronic health records (EHR).In February 2009, the U.S. Senate passed an $838 billion stimulusbill, in part to enable the digitization of every American'smedical record. Healthcare organizations are rushing to computerizetheir medical records, to take advantage of financial “meaningfuluse” incentives. But lagging security investments have left medicalrecords more susceptible than ever to accidental or intentionaldisclosure, loss, or theft. What were once isolated paper recordsare becoming electronic health data on millions of individuals thatcan be transmitted in seconds. Once this information is breached,it can never be recovered.
5. The rise of strict laws and stiff fines. Thehealthcare industry has, by far, the most stringent laws regardingthe safety of its privacy data, called protected health information(PHI). HIPAA Privacy and Security Rules set standards formedical information privacy. The HITECH Act extends HIPAA privacyand security requirements beyond healthcare providers to businessassociates, creates stricter breach notification guidelines, andgives state authorities power to enforce HIPAA rules. It alsoincreased penalties for noncompliance—up to $1.5 million.

Read related: “PrivateI.”

The combination of increased danger to patients, the move toelectronic health records, and the strict laws associated withprotected health information all increase the risks associated withhealthcare data breaches. More than ever, healthcare organizationsneed to strengthen their preventive measures to minimize thoserisks and ensure positive outcomes for their organization and thepatients they serve.