[See also: HITRUST launches collaborative cyber security platform for healthcare.]

The CTAS has published several reports showing data being exploited in underground message boards by cybercriminals from the U.S., Russia and China that cannot be linked back to the reported breaches from HHS. In addition, the service has found that malware is present on approximately 30 percent of endpoint devices in smaller healthcare organizations.

HITRUST's assessment data suggests many breaches may go unreported or undiscovered, officials say.

"Because of the gap between the breach data and other sources, we believe the breaches being reported are not all-inclusive," said Nutkis. "While we do not have a sense of the exact magnitude, given the cyber threats that healthcare and other industries face, we believe it must continue to be taken seriously."

The study spotlighted other areas of security concern:

Breaches of paper records remain significant, with errors in mailing and disposal of records playing a big role in some of the highest profile paper-based breaches. Since 2009, paper records comprise 24 percent of healthcare breaches, second only to laptops.

Business associates continue to account for a significant number of breaches (21 percent) and are implicated in a majority of the records breached to-date (58 percent). Physician practices are most vulnerable in this area.

The average time to notify individuals and HHS following a breach is 68 days; more than 50 percent of organizations failing to notify within the 60 day deadline set by HITECH.

The HITRUST report, "A Look Back: U.S. Healthcare Data Breach Trends" available for download here.