Just two weeks ago, a non-profit healthcare provider was slapped with a $50,000 fine from the Department of Health & Human Services (HHS) for violating the HIPAA security rules, after losing an unencrypted laptop containing the sensitive personal information of 441 patients. This is the first HHS penalty for a data breach involving less than 500 victims.

For small healthcare providers, this signals an escalation in the consequence of a data breach, as organizations will be held accountable regardless of size. A fine of $50,000 is a lot of money for a small practice, especially a non-profit provider.

As we’ve discussed in the past, the average cost per record of a healthcare data breach is $240, which is 24 percent higher than average. As fines become more common, healthcare organizations of all sizes need to make sure patient data is managed appropriately.

U.S. companies are paying more to notify people impacted by data breaches, according to the 2011 Cost of a Data Breach Study: United States. The average cost to notify victims of breach increased in this year’s study from approximately $510,000 to $560,000. At the same time, the average size of a breach is down 16 percent and the costs associated with the detection and escalation of data breach events declined as well, suggesting that companies may be more efficient in investigating data breaches.

So, if companies are better at detecting breaches and breaches involve fewer records, why are notification costs continuing to creep up?

The simple answer is there are more laws and regulations governing data breach notification. Forty-six states now have data breach notification laws and there are other regulatory requirements to deal with, for instance HIPAA and HITECH. While each state’s requirements for notification vary, notification is typically required when personal identifying information (PII) has been or is “reasonably believed” to have been breached.

It is time for information security to leave the nest of the data center. Consumerization and the cloud in all its forms and definitions have moved critical and sensitive information beyond the traditional system level security controls with which we are all familiar. How information is managed is no longer solely decided by information technology and system admins but the business as a whole. In order for information security to remain effective we must have a seat at the table for these business decisions. We must be able to speak in terms that the leaders of the business understand. We must speak the language of risk.

A few figures released over the last week paint a dismal picture of the state of information protection in the healthcare industry. More than 20,000 patient medical records were exposed in yet another hospital data breach. A report from the Health and Human Services Department (HHS) found that more than 7.8 million people had their medical information compromised in more than 30,500 breaches since the enactment of HITECH , while a report from the Digital Forensics Association shows that disclosure of health industry data breaches has increased markedly during this same timeframe.

By the numbers, it would seem that the healthcare industry is in crisis when it comes to protecting patient data, and it’s costing them. According to the Ponemon Institute 2011 U.S. Cost of a Data Breach study, sponsored by Symantec, health data breaches cost $301 per lost record, which is 40 percent higher than average. Contributing to the higher cost is compliance with data protection regulations that requires health organizations to do more to find, disclose and fix breach-related problems. In addition to disclosure laws in 49 states, healthcare organizations also must comply with HIPAA and HITECH.