For the second consecutive year, Ponemon Institute’s annual study on the state of security and privacy in healthcare found that cybercrime was the leading cause of data breaches among hospitals and other medical providers.

According to the “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data,” 50% of surveyed healthcare providers named cybercriminal attacks as the root cause of a data breach they experienced in the past two years, compared to 45% in the 2015 and as little as 20% when the survey first debuted in 2011. An error by a third-party party partner was the next most commonly cited cause, at 41% (respondents were allowed to cite multiple causes). Stolen computing devices ranked third at 39%.

“One hypothesis we have, and I think the data supports us over the last six years, is that there are more and more attacks from external sources,” said Larry Ponemon, chairman and co-founder of the Ponemon Institute.

See also: Healthcare industry seeks to reform its position as hacking target

Moreover, Ponemon found that 89% of surveyed healthcare providers experienced a data breach in the last 24 months, with 79% admitting to suffering a minimum of two breaches, holding steady from the previous year’s report. Moreover, 45% admitted to having more than five breaches over the past two years, compared to 40% of respondents last year.

Ponemon estimates in its report that data breaches over the past two years have cost healthcare organizations an average of $2.2 million, and extrapolates that the industry as a whole lost $6.2 billion.

Employee negligence was the most commonly cited security threat that healthcare organizations expressed concern over (69%), followed by cyber attacks (45% — a five percentage-point increase over the previous year.)

Delving deeper into the cyberattack threat, Ponemon found that hospitals are most concerned about distributed denial of service (DDOS) attacks (48%), following by ransomware (44%), and malware (41%).

See also: Data management: Not if, but when

A 69% majority of healthcare organizations said they believe their industry is more vulnerable to data breaches than other business sectors. Among those who expressed this opinion, 51% said that one of the top two reasons is because they have not been not vigilant enough in ensuring that their third-party service providers are securely managing their sensitive data.

But perhaps this is changing: When asked how recent medical breaches have influenced their own security practices, 61% of healthcare organizations said they are now paying more attention to what kinds of data safeguards their third-party partners have in place.

The Ponemon Institute separately surveyed third-party partners that contract with healthcare organizations and asked why they think healthcare organizations are more vulnerable to breaches compared to other sectors. From a business partner perspective, 54% squarely laid the blame on healthcare employees themselves for being negligent in how they handle patient information, while only 32% said it was because healthcare organizations weren’t adequately vetting their third-party partners.

Ponemon noted that the employees in the healthcare field are often so preoccupied with administering timely and quality care, that IT security is not even close to top of mind. “When talking about things like protecting information, you get a glaze-eyed look” from many health employees, said Ponemon. “It’s not really a security-oriented culture,” he added.

See also: Challenges exist, even as excitement grows for big data market

According to the survey, the types of files that were most often compromised among healthcare providers were medical files (64%) and billing and insurance records (45%). “This information can be used to commit not just one identity crime but many, including medical identify theft,” said Ponemon. “The value of medical records is many times more valuable than other kinds of information about individuals.”

Ponemon noted that medical imaging data can even be used to create fake visas and passports. “It’s becomes a national security problem,” he said.

Of the respondents who confirmed that their healthcare organizations have both a security incident response plan and the in-house expertise to execute it, 56% said that more funding and resources were needed for the plan to truly be effective. Indeed, 77% of the organizations participating in the study said that they allocated 20% of less of their total security budget to incident response.

This story originally appeared in SC.