Health data breaches in the U.S. increased 97 percent in 2011 over the year before, according to a new report by Redspin, a leading provider of IT security assessments.

The annual survey, "Breach Report 2011, Protected Health Information,” found breaches in all 50 states, and examined a total of 385 incidents affecting over 19 million individuals since the HITECH Act's breach notification rule went into effect in August 2009.

"Information security data breach in healthcare has reached epidemic proportions – the problem is widespread and accelerating," said Daniel W. Berger, Redspin's president and CEO.

Redspin cites the increasing concentration of protected health information (PHI) on unencrypted portable devices (laptops, media) and the lack of sufficient oversight of PHI disclosed to hospital "business associates" as the main reasons for the increase.

[See also: Consumer group lists top 6 data breaches of 2011.]

Malicious attacks (theft, hacking, and insider incidents) continue to cause 60 percent of all breaches due to the economic value of a personal health record sold on the black market and for medical ID theft used to commit Medicare fraud, the study found.

The report also provides specific recommendations, drawn from its statistical analysis and real-world experience providing HIPAA security risk analysis services to dozens of hospitals and other healthcare organizations.

"Information security breach is the Achilles' heel of PHI," Berger said. "Without further protective measures, data breaches will continue to increase and could derail the implementation, adoption and usage of electronic health records."

A full copy of Redspin's "Breach Report 2011, Protected Health Information" can be found here.

[See also: 5 keys to discovering hidden data security risks.]

Follow Diana Manos on Twitter @DManos_IT_News.