Health-care organizations are under attack.
Criminals are stealing patient records in order to commit medical identity theft. And the Affordable Care Act (ACA) has made the situation worse, according to a new report from the Ponemon Institute.
Ponemon estimates that these breaches cost the industry about $5.6 billion a year.
The survey found the overall number of reported data breaches at health-care organizations declined slightly last year, but criminal attacks on health-care providers increased dramatically—up 100 percent since 2010.
This is Ponemon's fourth annual Patient Privacy and Data Security study, and it finds that most data breaches are caused by sloppy practices, such as lost laptops loaded with unencrypted patient data.
"The information that's contained in a medical record has real value in the hands of a cyber criminal," said Larry Ponemon, chairman and founder of the Ponemon Institute. "And there's evidence that suggests that in the world of black market information, a medical record is considered more valuable than everything else."
"The black market is being flooded with payment card data," said Rick Kam, founder and president of ID Experts, which sponsored the study. "That data expires rather quickly because financial institutions replace the cards. Your Social Security number and personal health record don't change. They have a long shelf life."
(Read more: More winter woes: Utility-bill scams pile up)
Other key threats include employee negligence, unsecured mobile devices and third-party contractors who have access to the sensitive patient information of the health-care organizations they work with.
"The people in the health-care industry are good people who sometimes do stupid things, and that is the source of a lot of the problems," Ponemon said. "They're trying to get their work done, they feel under pressure, they're in the business of caring for patients, and they don't want to waste time to do more security or take that extra step to protect privacy."
The study, based on in-depth interviews with senior- level security personnel at health-care providers, looks at actual data loss and perceived risk. It concludes that health-care providers do not have the resources necessary to deal with the combination of threats from both inside and outside their organizations.
"The average person probably doesn't realize how many people touch their data as it moves through the health-care system," Kam told CNBC. "There's an average of six to 10 companies that will have your information just from one trip to the hospital."