Soaring Insider Breach Costs Driven by Shadow AI Use

Posted by Steve Alder

On average, businesses with 500 or more employees are losing an average of $19.5 million a year due to insider incidents, up 20% since 2023, according to the Cost of Insider Risks 2026 Report from DTEX, a provider of risk-adaptive security and behavioral intelligence. The highest insider costs were in the healthcare and pharmaceutical industries, which averaged $28.8 million in annual losses per company.

The report is based on independent research conducted by the Ponemon Institute on organizations in North America, EMEA, and Asia-Pacific with between 500 and 75,000 employees. The research includes interviews with 8,750 IT and IT security professionals in 354 organizations that experienced one or more material insider events. Organizations represented in the data experienced almost 7,500 insider incidents, with an average of 25 incidents per company.

DTEX breaks down insider incidents into three categories: malicious, non-malicious, and outsmarted. Malicious insider incidents include employees causing harm through espionage, sabotage, workplace violence, unauthorized disclosures, IP theft, and fraud. Non-malicious incidents include causing harm due to genuine mistakes, carelessness, or inattentiveness. The outsmarted category includes employees being reasonably outmaneuvered by an attack or adversary, such as a phishing attack.

Malicious insiders accounted for 27% of incidents ($4.7 million), and 20% of incidents ($4.5 million) were due to employees being outsmarted. By far the highest costs were due to non-malicious incidents caused by negligence. These incidents include careless mistakes that expose sensitive data and employees ignoring IT warnings. These incidents accounted for 53% ($10.3 million) of insider losses per company, up 17% year-over-year.

The increase in non-malicious insider losses has been driven by a rise in shadow AI incidents – the use of AI-based tools by employees without the knowledge or consent of IT departments. The other main losses due to negligence were the use of personal webmail and file-sharing sites.

Shadow AI-related incidents include employees uploading sensitive internal documents to AI tools such as ChatGPT, using AI notetakers that produce publicly accessible recordings and summaries containing sensitive information, and the use of AI browsers that enable access to malicious sites, AI-assisted torrenting, and NSFW content generation. The use of AI browsers and agents for performing tasks is also a major risk, as these tools are often granted access to corporate systems and bypass traditional controls and logging. While businesses can take action to prevent shadow AI use by blocking access to popular AI tools such as ChatGPT, in practice, it has little effect, as it just encourages employees to find other AI tools, which may carry even greater risks.

AI adoption has greatly accelerated; however, visibility and governance have failed to keep pace. Employees are using AI tools to improve productivity, but their behaviors are routinely exposing sensitive data. DTEX found that organizations routinely lacked insight into the AI tools that were being used by employees, the data that was entered into these tools, and the length of time that AI-generated artifacts remained accessible.

The interviews highlighted considerable concern around AI, with almost three-quarters (73%) of interviewed IT staff believing AI is creating invisible data exfiltration paths, and 44% believe malicious use of AI agents significantly or moderately increases the risk of data theft. Fewer than one in five respondents (18%) said they have fully integrated AI governance into their insider risk programs.

The report shows there has been an increase in the adoption of defensive AI, with 42% of organizations confirming that they have incorporated defensive AI into their insider risk management programs, and 71% of respondents believe behavioral intelligence is essential for combating insider incidents.

While the cost of insider incidents has grown, DTEX reports that a record low has been set for time to contain an incident. The latest report shows the average time to contain an incident has fallen from 86 days in 2023 to 67 days in 2025. The survey also shows a significant ROI on mature insider risk management programs, which allow organizations to prevent at least 7 insider incidents a year, saving them an average of $8.6 million in avoided breach costs.

“The results show real and meaningful progress at organizations with comprehensive and disciplined insider risk programs. Mature programs combined with modern tooling are clearly helping to prevent incidents before they occur. At the same time, the cost of insider risk continues to rise as their impact becomes more severe,” said DTEX CEO Marshall Heilman. “That contrast creates a powerful opportunity as AI becomes embedded across the workforce. Today, too few organizations classify AI agents as equivalent to human insiders, even as those agents operate with delegated authority, persistence, and reach. As a result, insider risk management and AI agent security are quickly converging. The same behavioral visibility and accountability that protect against insider risk must extend to AI systems. Organizations that apply those lessons will be better positioned to scale AI securely without sacrificing resilience in 2026 and beyond.”

The post Soaring Insider Breach Costs Driven by Shadow AI Use appeared first on The HIPAA Journal.

Rebound Orthopedics & Neurosurgery Pays $2.5 Million to Settle Data Breach Lawsuit

Posted by Steve Alder

Rebound Orthopedics & Neurosurgery, a Vancouver, WA-based orthopedic and neurosurgery practice, has agreed to pay $2,500,000 to settle a class action lawsuit over a February 2024 security incident involving unauthorized access to the protected health information of 426,536 patients. Data compromised in the incident included names, dates of birth, medical information, health insurance information, Social Security numbers, financial account information, driver’s license numbers, and passport numbers.

The affected patients started to be notified on April 15, 2024, and the first class action lawsuit related to the data breach was filed on February 7, 2025, in the Superior Court of the State of Washington, Clark County. A further five class action lawsuits were filed by other affected individuals, which were consolidated in the same court – Cooper, et al. v. Rebound Orthopedics & Neurosurgery P.C.

The consolidated lawsuit alleged that Rebound Orthopedics & Neurosurgery was at fault, as reasonable and appropriate cybersecurity measures had not been implemented prior to the data breach. The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, invasion of privacy, and violations of the Washington Consumer Protection Act and the Oregon Unlawful Trade Practices Act. Rebound Orthopedics & Neurosurgery denies all claims of fault, wrongdoing, and liability.

To avoid the costs, expenses, distraction, and burden of continuing with the litigation, and the uncertainty of a trial and related appeals, all parties agreed to settle the lawsuit. Class counsel and the class representatives believe that the settlement is fair. Under the terms of the settlement, Rebound Orthopedics & Neurosurgery has agreed to establish a $2,500,000 settlement fund to cover attorneys’ fees and expenses, notification and settlement costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for a two-year membership to the CyEx Medical Shield Complete credit and medical data monitoring service, plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses incurred due to the data breach up to $5,000 per class member. Alternatively, a claim may be submitted for a one-time pro rata cash payment, which is estimated to be $75 per class member, but may be higher or lower depending on the number of valid claims received.

The deadline for objection to and exclusion from the settlement is May 28, 2026. Claims must be submitted by May 28, 2026, and the final fairness hearing has been scheduled for June 12, 2026.

The post Rebound Orthopedics & Neurosurgery Pays $2.5 Million to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Carolina Foot & Ankle Associates Notifies Patients About December 2025 Cyberattack

Posted by Steve Alder

Cyberattacks and data breaches have been announced by the healthcare providers Carolina Foot & Ankle Associates, New Age Dermatology, and Marin Cancer Care.

Carolina Foot & Ankle Associates

The North Carolina podiatry practice, Carolina Foot & Ankle Associates, is notifying patients that some of their personal and protected health information was exposed in a December 2025 cybersecurity incident. The incident was detected on December 8, 2025, when it experienced a network disruption. Third-party cybersecurity experts were engaged to investigate the incident and confirmed that an unauthorized third party had accessed its network and exfiltrated files containing patient data.

The file review has recently been completed, and confirmed that patient data had been compromised, including first and last names, phone numbers, dates of birth, medical record numbers, health insurance information, diagnostic/CPT codes, and dates of service. The types of data involved varied from individual to individual. Carolina Foot & Ankle Associates said Social Security numbers and financial information were not compromised in the incident, and there was no unauthorized access to its electronic medical record system.

When the breach was detected, immediate enhancements were made to security to prevent further data security incidents, and law enforcement was notified. As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder estimate of at least 501 affected individuals.

New Age Dermatology

New Age Dermatology LLC has notified the Massachusetts Attorney General about a ransomware attack that was identified on or around December 20, 2025. According to the notice, the ransomware attack affected an internal server, which has been rendered inoperable and inaccessible.  Law enforcement has been notified, and an investigation has been launched, with assistance provided by third-party cybersecurity professionals.

At this stage of the investigation, New Age Dermatology has yet to determine the specific types of information involved or the number of individuals affected, but explained that information likely compromised in the incident includes personal and protected health information typically found in patient records, including names, dates of birth, medial and treatment information, diagnostic images, photographs, and Social Security numbers may have been compromised. New Age Dermatology has found no evidence to suggest that its electronic medical record system was compromised in the incident. At the time of writing, no ransomware group appears to have claimed responsibility for the attack.

New Age Dermatology is unaware of any data misuse, but as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Marin Cancer Care

Marin Cancer Care, a provider of cancer treatment in Larkspur, California, has alerted patients to an incident involving unauthorized access to its computer network. An intrusion was detected on or around December 8, 2025, and assisted by third-party investigators, Marin Cancer Center learned that an unauthorized third party had access to its computer network between November 22, 2025, and December 6, 2025, during which time files containing patient information may have been viewed or acquired.

The investigation and file review are ongoing to determine the affected individuals and the types of information involved. Marin Cancer Care has confirmed that names, medical information, and health insurance information were likely involved. Patients have been advised to remain vigilant against incidents of identity theft and fraud by reviewing their account statements and monitoring their free credit reports for suspicious activity.

The post Carolina Foot & Ankle Associates Notifies Patients About December 2025 Cyberattack appeared first on The HIPAA Journal.