The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach portal shows that patients’ protected health information is being exposed and stolen at an unprecedented rate. From 2021 to 2024, more than 700 large healthcare data breaches were reported each year, and each of those data breaches affected at least 500 individuals, with an average breach size of 203,892 individuals. In those four years alone, the protected health information of more than 595 million individuals was compromised.

Hackers have been targeting the healthcare and public health sector with increasing frequency, and hacking and other IT incidents now account for the bulk of the reported healthcare data breaches. Email accounts are accessed, networks are compromised, and in almost all cases, healthcare data is stolen by unauthorized individuals. While unauthorized third parties are the ones that access the data, when you delve into the root cause of the breach, it is often the actions of a healthcare employee or an employee of a business associate that caused the data breach.

Healthcare employees are the weakest link in cybersecurity and are targeted by cybercriminals directly, although in many cases, the actions of employees leave a digital door open for cybercriminals walk straight through. Carelessness, employee errors, poor judgment, and a lack of knowledge or understanding of good cyber hygiene result in serious patient privacy violations and costly data breaches. The most common mistakes made by employees usually result in relatively small privacy breaches; however, even these small incidents can cause considerable damage to a healthcare organization’s reputation, and the HHS’ Office for Civil Rights has imposed many fines on HIPAA-regulated entities for data breaches resulting from employee mistakes.

Employee-Related Cyberattacks & Data Breaches

Various studies have confirmed the risk posed by employees. For example, Verizon found that 70% of healthcare data breaches are caused by insiders, a considerable increase from the 39% of breaches in 2021 that were attributed to healthcare employees. A HIMSS survey made it clear that employees are the biggest vulnerability in healthcare, and another revealed that 65% of healthcare employees are taking security shortcuts that are putting patient data at risk, with employees’ poor cyber hygiene a persistent threat.

Listed below is a selection of the many healthcare data breaches caused by employee mistakes, carelessness, and poor security practices over the past five years. These attacks have resulted in the theft of millions of patient records, lawsuits, and HIPAA violation penalties.

Responses to Phishing Emails and Social Engineering Attacks

Employees falling for phishing emails led to $600K fine for a California health care network

Phishing campaign tricks 53 Los Angeles County employees into providing cybercriminals with access to their email accounts

Employee responds to malicious email and exposes 108K individuals’ PHI

Eleven Aveanna Healthcare employees divulge their credentials to cybercriminals in a phishing campaign

Illinois Department of Human Services employees fall for phishing emails, exposing the PHI of 1.1 million patients

Screen Actors Guild – American Federation of Television and Radio Artists sued after an employee responded to a phishing email

$200,000 penalty after a skilled nursing facility employee responds to a phishing email and exposes 14,500 individuals’ PHI

23 L.A. County employees duped by phishing emails and disclosed credentials

OCR imposes its first financial penalty in response to a phishing attack on healthcare employees

Henry Ford Health employees tricked by phishing emails, exposing 168,000 patient records

Office of the Attorney General of Massachusetts fines home health agency $425K for phishing attack, citing insufficient security awareness training

An EyeMed Vision Care employee’s response to a malicious email exposed 2.1 million individuals’ PHI and led to a $4.5 million fine

BJC Healthcare settles data breach lawsuit stemming from three employees responding to phishing emails

Salinas Valley Memorial Healthcare System employees respond to phishing emails and expose patients’ data – the healthcare provider was fined $340,000 over the breach

Employee Malware Downloads Provide Access to Hackers

“Honest mistake” by an Ascension Health employee led to a ransomware attack and a 5.6 million-record data breach. The employee downloaded a malicious file from the internet and executed it, inadvertently executing malware

Summit Pathology and Summit Pathology Laboratories employee opened a malware-infected email attachment

A Behavioral Health Network employee downloaded malware that prevented access to patient data

An employee’s accidental malware download allowed a ransomware group to encrypt files

Employees’ Poor Cyber Hygiene and Bad Cybersecurity Practices 

Healthcare workers routinely expose patient data to ChatGPT, Google Gemini, and via Google Drive and Microsoft OneDrive

An email error by an employee of The Queen’s Health Systems in Hawaii results in the impermissible disclosure of thousands of patients’ PHI

A Bassett Healthcare Network physician was discovered to have transmitted patient data to unauthorized individuals and saved patient data on a personal storage device

An email error by an employee of Campbell County Health has resulted in the impermissible disclosure of the protected health information of patients

Misconfigurations and Carelessly Exposing Patient Data

Password protection was not added to a DM Clinical Research database containing 1.6 million clinical trial records

A New Jersey health technology company employee exposed 86,000 records online

A Gargle database containing approximately 2.7 million patient profiles and 8.8 million appointment records was exposed online due to an employee error

Employee error results in impermissible disclosure of Winter Haven Hospital patients’ data

Employee error results in the exposure of 12 million medical laboratory records

Employee misconfigures patient database, exposing 3.1 million patients’ records. The database was subsequently deleted by the destructive Meow bot

Business associate employee misconfigures server, exposing Fairchild Medical Center patients’ data

University of Washington Medicine sued after an employee misconfigures server, exposing 974,000 patients’ PHI

An Indiana Department of Health employee misconfigures COVID-19 contact tracing database, exposing the data of 750,000 individuals

Failure to configure authentication exposes 1 billion records of CVS website searches

Department of Veterans Affairs contractor misconfigures database, exposing sensitive records of 200,000 military veterans

An employee misconfigures a County of Kings Public Health Department web server, exposing 16,590 patient records

Employee fails to secure AWS S3 bucket, exposing breast cancer patients’ data and medical images

Misconfigured CorrectCare web server exposes PHI of hundreds of thousands of inmates

A Washington D.C. health insurance exchange’s 56K-record data breach was the result of human error

Failure to configure access controls results in the exposure of the COVID vaccination statuses of 500,000 VA employees

The post Staff are the Weakest Link in HIPAA Cybersecurity appeared first on The HIPAA Journal.