90% of hospitals and clinics lose their patients' data

NEW YORK (CNNMoney) -- No industry has been hit harder by hacking and data breaches than health care.

Recent data shows 90% of health care organizations have exposed their patients' data -- or had it stolen -- in 2012 and 2013, according to privacy researchers at the Ponemon Institute.

The medical industry faces more data breaches than the military and banking sectors combined.

As of last week, the medical industry has been slammed with 204 incidents this year, nearly half of the major breaches so far. It has lost 2.1 million records. And that doesn't even count the 4.5 million names and Social Security numbers taken from Community Health Systems' computer network in a major hack that was revealed on Monday.

Why the barrage of attacks?

Illegally purchased medical records fetch huge sums of money on black markets -- about $50 a pop. By contrast, credit cards fetch $1 each -- tops.

Criminals can use medical records to fraudulently bill insurance or Medicare. Or they use patients' identities for free consultations. Or they pose as patients to obtain prescription medications that can later be sold on the street.

Meanwhile, clinics are turning paper patient records into digital files. But hospitals and physicians typically don't take the extra step to protect those files -- making them easier than ever for a hacker to quietly steal en masse.

"They can't keep up ," said J.D. Sherry, who advises hospitals for cybersecurity firm Trend Micro. "Their resources are tremendously overwhelmed. With day-to-day business, IT security is not top of mind."

Hospitals' patient records are often kept on the same computer network as the one used for other hospital business. Once inside, hackers don't have to jump through any more hoops to access medical information.

Making matters worse, many hospitals and doctors are using outdated technology that no longer receives security updates. For example, Community Health Systems was slow to patch the infamous Heartbleed bug earlier this year, allowing hackers access to employees' login credentials, according to security researcher David Kennedy, CEO of TrustedSec.

Doctors and hospitals also rarely encrypt all of the data they keep on us. The federal health records protection law, the Health Insurance Portability and Accountability Act, doesn't demand that hospitals and physicians use encryption.

Lisa Gallagher, a security expert at the health nonprofit HIMSS, described the state of IT in the health care industry as "vulnerable and challenged."

"Everyone in health care is working at this very hard, but there's a huge learning curve and it's underfunded," she noted.

It's a struggle for hospitals to keep data secure, but even more so for small physician practices that don't even have an IT expert on staff, much less a cybersecurity specialist.

And it's not like medical facilities can choose to simply not digitize patient files. Obamacare requires that insurers use electronic health records. Also, the 2009 federal stimulus package paid huge subsidies to clinics that go digital -- and as of 2015, lowers Medicare payments to those doctors that don't digitize.

So, while the federal Health and Human Services department promises "electronic health records will not change the privacy protections or security safeguards that apply to your health information," in reality, data breaches are becoming a regularity.