A new study out by the Ponemon Institute finds that criminal attacks, rather than accidents or technological failures, are the leading cause of data breaches. The report finds that cyber-criminals are increasingly targeting health care providers and business associates for the vast amounts of personal data held by these entities, and that these attacks are costing the health care system potentially billions of dollars.

For the past five years, the Ponemon Institute has conducted a study of privacy and security trends of patient data in the health care industry. In its 2015 report, the Institute found, for the first time, that criminal cyber-attacks, such as web-borne malware attacks, were outpacing lost and stolen devices as the leading source of data breaches. In fact, Ponemon estimates that these attacks are up 125% from five years ago, while medical identity theft has nearly doubled in that time period. The Institute writes that “cyber criminals recognize two critical facts of the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) health care organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data.”

The Institute also found that employee negligence remains a considerable risk to personal information held by health care organizations and business associates, as approximately 95% of respondents to the study reported a security incident involving a lost or stolen device.

These attacks are extremely costly to health care organizations and consumers alike. Using the average cost of a data breach experienced by the health care organizations involved in its study, the Institute estimates that data breaches are costing the health care industry $6 billion a year.

The Ponemon Institute study underscores the fact that, whether or not they must comply with HIPAA, all health organizations that maintain personally identifiable information are at risk of a data breach arising from a cyber-attack. HIPAA requires covered entities and business associates to undertake regular risk assessments to identify areas of potential vulnerability and assess the organization’s compliance with the Security Rule. The Institute, however, concludes that entities of all sizes are not investing sufficient resources in technologies to adequately protect personal health information.