According to a recent Homeland Security News Wire article, nearly 8 million patient medical records were compromised over the course of the previous two years due to data security breaches. As more hospitals and patient care providers move to store patient data electronically—primarily as a cost savings effort—the risk and exposure of our private medical information increases while our individual control over this information diminishes.

Dr. David Brailer, the first national coordinator of health information technology under President George W. Bush, said, “We can’t just lock health care data away—because of its role in lifesaving treatment.” Dr. Brailer goes on to say that it is unrealistic to believe that the government can design a system that prevents all medical records from being compromised. “It’s a huge challenge. Break-ins and hacks are unfortunately going to be part of the landscape,” he added.

In November 2010 a study released by the Ponemon Institute revealed that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected. The report titled, Benchmark Study on Patient Privacy and Data Security, indicates that protecting patient data is a low priority for hospitals and that organizations have little confidence in their ability to secure patient records. This leaves individuals at great risk for medical identity theft, financial theft and embarrassment of exposure of private medical information.

Spending years in a the data security field, I’ve had many opportunities to see first hand how private organizations handle and secure electronic customer information, including patient medical records. The truth is, protecting that information is thought of even as a low priority by most organizations only as long as it is fiscally feasible. Like other types of critical business information, customer data—even confidential patient information—is not looked at in terms of how secure it needs to be but how secure can it be kept within a specific budget constraint. Many organizations make only a “best effort” to secure such information, often relying on technical solutions or staff that lack the sophistication or experience to provide a solid and secure method of retaining the data.

As with other types of information, patient information is being collected in more ways and at a faster pace given today’s technological advances. Hospitals, insurance companies, pharmacies and the like collect and store this information in a variety of ways, but far too often employ the same types of storage and security solutions they use to handle their own internal business data. An unfortunate truth is that many organizations view your personal medical data as their data once it is collected, and they will store and protect that data not in a manner that suits your needs as a consumer but rather in methods that best meet their budgetary bottom line.

The good news in all of this is that more government oversight is taking place in how your medical information is stored and protected. In June of 2010 five California hospitals were fined a total of $675,000 for failing to secure patient data. In February of 2011 a Massachusetts Hospital was fined $1 million for an incident in which the medical records of 192 patients were left on a subway car by a hospital employee. These types of fines provide the necessary budgetary “justification” for organizations to comply with security regulations and employ the required level of security measures to protect patient information and privacy.

However, according to the Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, as of May 2011 there were 265 reported incidents this year where the breach of unsecured patient health information affected 500 or more individuals. These types of statistics remind us that our privacy, as well as our rights, are all too easily violated when our information is measured against the bottom line.