Cyberattacks against well-known entities such as Sony or even the U.S. Defense Department may grab most headlines these days. But the healthcare industry is now bearing the brunt of most malicious attacks, which have more than doubled over the past four years. And even in the midst of rapidly escalating attacks on providers and insurers, senior executives have done poorly in warding them off or protecting data, a May 7 report asserts.

Half of the healthcare organizations studied reported experiencing at least one “criminal-based” security incident last year, Bloomberg News services reports. Such incidents typically involve a cyberattack or malicious theft by an employee. All told, more than 90% of healthcare organizations studied reported some kind of data breach in 2014, costing the industry $6 billion, or $2.1 million per organization.

The research was conducted by the Ponemon Institute, which published its Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. The Ponemon Institute is a research center focused on privacy, data protection and information security policy.

Fewer than half of all healthcare organizations even have the technology needed to detect or prevent a breach or attack, according to the report. Even fewer (about one-third) report having the resources to identify specifics about attacks or breaches.

The leading causes for breaches and attacks on healthcare organizations Ponemon identified are (in order of severity): theft, employee negligence and malware. The biggest vulnerability for each of the past four years: Lost and stolen computers and paper files.

This article originally appeared on McKnight's