58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price

Posted by Steve Alder

A recent study exploring insider cybersecurity threats revealed that a majority of college students would be willing to violate the HIPAA Rules and steal and disclose patient data if they were paid to do so, provided the price was right. The amount of money required ranged from less than $10,000 to more than $10 million. The study was conducted by Lawrence Sanders, professor emeritus, University of Buffalo, Department of Management Science and Systems, and colleagues at the School of Management, and builds on a 2020 study that explored the price of healthcare privacy violations.

The 2020 study, published in JMIR Medical Informatics, was conducted on 523 students (average age of 21) who were about to enter the workforce. The respondents were asked to imagine that they had been employed by a hospital, and were given five scenarios in which they were asked if they would illegally obtain and disclose sensitive health information. 46% of respondents admitted that they would violate HIPAA and patient privacy if the price was right. In one of the scenarios, study participants were asked if they would obtain and disclose a politician’s medical records in exchange for $100,000, if the money was needed to pay for an experimental treatment for their mother that insurance wouldn’t cover. 79% of respondents said they would.

The follow-up study, which focused on cybersecurity insiders, was conducted on 500 undergraduate college students in technology-related programs, who represented future IT workers in the healthcare industry. They were asked to imagine they had been employed by a hospital, were being paid between $30,000 and $100,000, and were under financial stress and had been approached and asked to obtain and leak information about a famous patient at the hospital.

They were informed about HIPAA and how the federal law prohibited unauthorized access and disclosure of protected health information, yet 58% said they would violate HIPAA in exchange for payment. The amount of money required was less than $10,000 in some cases, and whether they would be tempted – and the amount required – varied depending on the employee’s salary leveland the perceived probability of being caught. The higher the employee’s salary, the more money was required to violate HIPAA and steal data. Individuals who had an interest in ethical hacking generally required less money to violate HIPAA, as was the case with individuals with an interest in unethical hacking, if they were assured that they would not be caught.

The study highlights the risk of insider data breaches and the importance of training on the HIPAA Privacy Rule requirements and the consequences of HIPAA violations, making it clear to all workers that if violations are discovered, the consequences of HIPAA violations can be severe.

“As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls,” said Professor Sanders. “Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it. Initiatives that promote economic opportunity, social inclusion, cybersecurity literacy and a more secure digital environment are part of the solution.”

The post 58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price appeared first on The HIPAA Journal.

Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach

Posted by Steve Alder

Patients of Laurel Health Centers have been notified that their protected health information was exposed in a July 2025 security incident, and Modern Health has identified unauthorized access to member profiles.

Laurel Health Centers

Laurel Health Centers, a Federally Qualified Health Center network in Northern Pennsylvania, has discovered unauthorized access to its email environment. An investigation was launched on July 14, 2025, to determine the cause of unusual email activity. The investigation determined that an unauthorized third party had access to certain email accounts between July 11, 2025, and July 25, 2025. During that time, emails and files may have been viewed or copied.

The affected email accounts were reviewed and found to contain patient information. The types of information vary from individual to individual and may include names in combination with one or more of the following: address, telephone number, email address, date of birth, Social Security numbers, medical record number, date(s) of service, medical provider, Medicare information, insurance information, diagnostic information, treatment and diagnosis data, insurance carrier, procedure codes, disability status, dental and denture information, immunization record, behavioral health information, Pennsylvania Account ID, account number, credit card information, checking account information and claim information.

Laurel Health Centers said it took time to conclusively determine that the threat actor no longer had access to its systems, hence the delay between discovering the unauthorized activity and confirming that the threat actor had been eradicated from its email environment. The review of the email accounts concluded on December 30, 2025, and notification letters were mailed to the affected individuals shortly thereafter. Complimentary credit monitoring services have been offered to the affected individuals. The incident is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Modern Health

Modern Health, a management support organization that provides services to several affiliated entities, including Modern Health Arizona, Modern Health California, Modern Health New Jersey, Elevate Tele-Medicine Telehealth, and Modern Life, has recently notified the Massachusetts Attorney General about an incident involving unauthorized access to member profiles on its behavioral health platform.

In November 2025, Modern Health determined that an unauthorized individual had accessed a limited number of member profiles. Steps were immediately taken to disable those profiles, and an investigation was launched to determine the extent of the unauthorized activity. The affected profiles were reviewed and found to contain sensitive member data, although Social Security numbers and financial information were not exposed. The review of the affected profiles was completed on January 5, 2026, and the affected individuals were notified via email on January 12, 2026. It is currently unclear how many individuals were affected in total. The Massachusetts Attorney General was informed that two state residents were affected.

The post Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach appeared first on The HIPAA Journal.

Does your Staff Understand the Role of HIPAA Officers?

Posted by PJ Murray

Most healthcare staff know that HIPAA exists, yet many do not really understand who the HIPAA officers are or how those officers support their daily work. When staff see HIPAA Privacy and Security Officers only as rule enforcers or distant administrators, they miss a key resource that can help them make better decisions, prevent incidents, and resolve problems before they become reportable breaches.

Why it Matters that Staff Understand HIPAA Officer Roles

HIPAA is a moving target. Rules, implementation specifications, technology, and internal processes change over time. No front-line employee can track every update or interpret every nuance alone. The HIPAA Privacy Officer and HIPAA Security Officer exist to take on that responsibility at an organizational level and to translate it into clear, practical guidance for the workforce.

If staff do not understand what these officers do, they are less likely to ask questions when they feel unsure, less likely to report potential incidents quickly, and more likely to handle concerns informally or ignore warning signs. That puts patients, the organization, and the individual employee at greater risk.

The HIPAA Compliance Officer from the Staff Perspective

From the staff perspective, the HIPAA Compliance Officer plays a central and highly visible role in shaping how privacy and security expectations are understood and applied across the organization. Employees look to the compliance officer for practical guidance on how HIPAA requirements affect their specific duties, whether that involves handling patient records, communicating with vendors, responding to information requests, or managing incidents and near misses. The compliance officer is often the primary source of training and awareness, translating complex regulations into clear policies, procedures, and examples that staff can follow with confidence. Beyond training, the role includes listening to employee concerns, encouraging early reporting of potential issues, and creating a safe environment where questions and mistakes can be addressed without fear of retaliation. Staff also depend on the HIPAA Compliance Officer to coordinate audits, monitor compliance activities, and communicate changes in rules or organizational practices in a timely and understandable way. When the role is performed well, employees see the compliance officer as a trusted partner who supports ethical behavior, promotes consistency in decision making, and helps everyone contribute to protecting patient information as part of their everyday work.

The HIPAA Privacy Officer from the Staff Perspective

The HIPAA Privacy Officer is the person charged with building and running the privacy side of your HIPAA program. This role includes developing and implementing workplace privacy policies, making sure training reaches the workforce, and checking whether people actually follow those policies in real work settings.

When privacy rules or organizational practices change, the HIPAA Privacy Officer assesses the risks, updates the policies, and arranges extra HIPAA training so staff know what has changed and why. Staff should understand that this is the person who connects regulatory requirements and internal policies to the way front-line work is done.

The HIPAA Privacy Officer is also the organization’s main point of contact for patients and members of the public who want to exercise HIPAA rights, ask privacy questions, or file complaints. There is an important human element to patient rights for HIPAA Privacy Officers. That means the HIPAA Privacy Officer sits at the center of communication between the organization, its workforce, patients, and regulators. From a staff point of view, this is the person who investigates privacy concerns, decides whether a data breach report is required, and applies sanctions when staff violate privacy or breach notification standards.

Some tasks can be delegated to other senior staff, yet the HIPAA Privacy Officer keeps ultimate responsibility for privacy compliance. When employees understand this, they know where to take questions about policies, patient rights, and privacy complaints, and they can see the officer as a resource rather than just a source of discipline.

The HIPAA Security Officer from the Staff Perspective

The HIPAA Security Officer focuses on the protection of electronic health information. This officer develops and implements security policies and procedures designed to support compliance with the HIPAA Security Rule. That includes not only which technical safeguards the organization uses, but also how staff must use those safeguards in practice.

To support this work, the HIPAA Security Officer conducts HIPAA risk assessments, chooses appropriate security mechanisms, and designs a security awareness training program for the entire workforce. From the employee’s point of view, this is why there are rules about passwords, phishing emails, device use, remote access, and incident reporting. The HIPAA Security Officer turns the broad HIPAA Security Rule into specific expectations for daily behavior.

The HIPAA Security Officer also monitors compliance with security policies and can apply sanctions when staff break those rules, even when the violation is unintentional. This same officer is responsible for plans that protect the confidentiality, integrity, and availability of health information during emergencies. Those plans cover backup processes, contingency operations, emergency mode procedures, and disaster recovery, and staff rely on them when systems fail or disasters occur.

Depending on how roles are distributed, the HIPAA Security Officer may also handle breach reporting, Business Associate Agreements, and responses to external compliance assessments. Staff who understand this role know why certain technical rules exist and who to approach with concerns about security controls or suspicious activity.

HIPAA Officers as Partners, not just Enforcers

Privacy and Security Officers must enforce policies and manage incidents, but their role is not limited to catching errors and imposing discipline. In a healthy compliance culture, these officers are visible and approachable. Many maintain an open door policy and actively encourage staff and students to ask questions, raise concerns, and report possible violations.

When staff see HIPAA officers only as “the people who get you in trouble,” they may hide mistakes or stay silent about near misses. When they see officers as partners who can explain the rationale behind rules and help resolve issues, concerns surface earlier. That early detection can prevent harm, reduce the scope of a breach, and avoid escalation from a minor violation to a major event.

Staff should know who their HIPAA Privacy Officer and Security Officer are, where and how to reach them, and what types of questions or issues belong with each role. A brief introduction at orientation and early in role-based training can make later conversations much easier.

Risks when Staff do not Understand HIPAA Officer Roles

If staff cannot explain what the Privacy and Security Officers do, they are less likely to use those roles effectively. They may send patient complaints to the wrong place or fail to escalate a serious privacy concern. They might treat training as a one-time requirement without realizing that officers use training to communicate important policy changes. They may also assume that small violations do not need to be reported if no one seems hurt.

That lack of understanding undermines incident management and can harm the organization’s response to audits and investigations. It also increases personal risk for staff, because unreported or mishandled issues are more likely to resurface later in a worse form.

What Training for Staff about HIPAA Officers Should Cover

HIPAA training should then give a clear picture of the HIPAA Officer’s responsibilities in language that fits staff experience. That includes policy development, workforce training, privacy monitoring, patient-facing duties, investigation of alleged violations, and coordination with regulators and business associates. Staff should hear how those responsibilities show up in daily practice, such as updated privacy notices, revised authorization forms, or follow-up after a complaint.

Training should cover the HIPAA Officer’s responsibilities. Staff need to understand that this officer oversees security policies, risk assessments, security awareness training, monitoring of technical and procedural safeguards, and emergency planning for information systems. The training should link common expectations, such as mandatory security modules or new login procedures, back to the Security Officer’s role so staff can see the connection.

A section of the training should focus on communication. Staff should learn that HIPAA Officers are available to answer questions, clarify procedures, and discuss concerns. The HIPAA training content should encourage staff to contact the HIPAA officers.

Training should also explain the boundary between delegation and ultimate responsibility. Staff should understand that while some tasks may be assigned to supervisors, managers, or other specialists, the named officers still carry overall responsibility for HIPAA compliance.

The post Does your Staff Understand the Role of HIPAA Officers? appeared first on The HIPAA Journal.

Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches

Posted by Steve Alder

Columbia Medical Practice has experienced a ransomware attack in which patient data was stolen, and Jupiter Medical Center has notified patients that their personal and health information was stolen in a January 2025 security incident.

Columbia Medical Practice

Columbia Medical Practice in Columbia, Maryland, has recently confirmed that patient data was compromised in a November 2025 ransomware attack. The investigation confirmed that an unnamed threat actor accessed its network on November 5, 2025, and used malware to encrypt files. Prior to file encryption, files were exfiltrated, some of which contained patient information. Columbia Medical Practice said it was able to recover the encrypted files, and it is reviewing the affected files to determine the individuals affected and the exact types of data involved. The Qilin ransomware group claimed responsibility for the attack.

The electronic medical record system was not accessed; however, files on the compromised parts of its network contained names, addresses, phone numbers, birth dates, passport numbers, Social Security numbers, driver’s license numbers, other government identifiers, financial account information (but not information such as security codes that would permit access), health insurance information, patient account numbers, and health information, which may include diagnoses, diagnosis codes, treatment/condition information, prescription information, history information, dates of service, locations of service, assigned physician names and health services payment information. The types of information involved vary from individual to individual.

Columbia Medical Practice said it is evaluating additional technical measures, reviewing its cyber auditing practices, and reviewing and updating its policies and procedures to reduce the risk of similar incidents in the future. Notification letters will be mailed to the affected individuals when the file review is concluded. At present, the incident is not listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jupiter Medical Center

Jupiter Medical Center in Jupiter, Florida, has started notifying patients about unauthorized access to electronic medical records. Notification letters have only recently been sent, although the data breach occurred in January 2025. The breach involved its medical record vendor, Cerner (Now Oracle Health).

Jupiter was one of many healthcare providers affected by the breach. While Oracle Health has not confirmed publicly exactly how many of its clients were affected, in a recent lawsuit, Oracle Health’s attorneys said up to 80 hospitals may have been affected. Jupiter Medical Center said law enforcement requested delaying announcing the data breach and issuing notifications as it would potentially interfere with the law enforcement investigation.

The breach affected a limited number of patients and involved information typically found in medical records, as well as Social Security numbers. The affected individuals have been offered two years of complimentary credit monitoring services.

The post Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches appeared first on The HIPAA Journal.