About 25% of consumers have been the victim of a healthcare data breach, says a new study from consulting and research firm Accenture released this morning at HIMSS 2017 in Orlando, Fla.

In the survey of about 2,000 consumers Accenture found that 50% of patients whose data was access by unauthorized individuals were victims of medical identity theft. They on average wound up paying approximately $2,500 in out-of-pocket costs per incident.

The survey found that the breaches were most likely to occur in hospitals—the location cited by more than one-third (36%) of respondents who experienced a breach—followed by urgent-care clinics (22%), pharmacies (22%), physician’s offices (21%) and health insurers (21%). 50% of consumers victimized by a breach found out about it themselves, through noting an error on their credit card statement or benefits explanation, Accenture says.

In comparison, only one-third of consumers were alerted to the breach by the organization where it occurred, and 15% by a government agency.

Among those who experienced a breach, 50% were victims of medical identity theft.

Most often, the stolen identity was used to purchase items (cited by 37% of respondents) or used for fraudulent activities, such as billing for care or filling prescriptions, at 36% and 26%, respectively.

Nearly one-third of consumers had their Social Security number, contact information, or medical data compromised, Accenture says. Unlike credit card identity theft, where the card provider generally has a legal responsibility for account holders’ losses above $50, victims of medical identity theft often have no automatic right to recover their losses, says Accenture managing director of cybersecurity for the health practice Reza Chapman.

“Health systems need to recognize that many patients will suffer personal financial loss from cyberattacks of their medical information,” Chapman says.  “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.”

Other survey findings include:

• Even though criminals have penetrated the computer systems of many healthcare organizations, significantly more consumers still trust their healthcare provider (88%) and payer (82%) to keep their healthcare data secure than trust health technology companies (57%) or the government (56%) to do so.
• More than four in five consumers—82%—note they want to have at least some involvement in keeping their healthcare data secure; fewer than two-thirds (64%) said that they have such involvement today.
• In response to a breach, nearly all (91%) of the consumers who were victimized took some type of action. Some changed healthcare providers (25%), insurance plans (21%) or sought legal counsel (19%). Others took personal steps, such as changing log-in credentials (29%), subscribing to identity-protection services (24%) or adding security software to their computer (20%). Only 12% of data-breach victims reported the breach to the organization holding their data, per the Accenture survey.