25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

The Top HIPAA Threats Are Likely Not What You Think

Posted By on Dec 22, 2025

The top HIPAA threats are threats from insiders who, either due to a lack of HIPAA training or a lack of security awareness, violate HIPAA standards or make mistakes that allow cybercriminals to access healthcare networks. While more training could help mitigate these top HIPAA threats, a fairly enforced sanctions policy will likely be more effective.

Many articles listing the top HIPAA threats pretty much follow a similar theme. Protect devices against theft, protect data against cybercriminals, and protect yourself against unauthorized third party disclosures by signing a Business Associate Agreement. Unfortunately these articles are way off the mark.

The top HIPAA threats facing healthcare organizations today often originate inside the organization rather than from external attackers. In many organizations, the most common issues involve workforce behaviors, inappropriate access, mishandled credentials, and avoidable mistakes that expose systems to threat actors. Technical safeguards matter, but insider activity remains one of the top HIPAA threats that compliance teams must manage proactively.

Many articles describing the top HIPAA threats focus on credential theft, ransomware, and the theft of unencrypted devices. These risks are real, but industry analyses consistently show that a substantial share of healthcare breaches involve insiders, whether through intentional misuse or preventable errors. The exact percentages vary by year, but the trend is stable enough to influence HIPAA compliance planning.

Understanding Insider‑Driven HIPAA Risks

Insider activity generally falls into two categories that appear repeatedly in discussions of the top HIPAA threats:

  • Malicious insiders
    These individuals intentionally access or misuse Protected Health Information (PHI). While high‑profile data‑theft cases draw attention, a large portion of “malicious” activity involves snooping on the records of colleagues, family members, or public figures. Snooping remains one of the top HIPAA threats because it is common and difficult to detect without monitoring.
  • Inadvertent actors
    These are workforce members whose actions unintentionally create vulnerabilities. Examples include falling for phishing emails, misdirecting information, or misconfiguring systems. Although the initial action is internal, the resulting breach often involves external threat actors. This category frequently appears in breach statistics and is one of the top HIPAA threats for smaller organizations with limited technical oversight.

Why Insider Threats Persist

The best HIPAA compliance softwareHHS’ Office for Civil Rights has repeatedly emphasized the need for policies, monitoring, and sanctions to address insider behavior. Yet many organizations struggle with limited resources, competing operational demands, and the perception that external attacks are the primary danger. Surveys of healthcare IT and compliance professionals show ongoing concern about insider activity, but also a lack of tools or staffing to manage it effectively.

In 2022, HHS’ Office of Information Security highlighted insider activity as one of the top HIPAA threats, noting that these incidents often reflect broader issues in culture, access management, and oversight rather than isolated misconduct.

Are Inadvertent Actions a Greater Risk Than External Attacks?

In many breach reports, inadvertent actions outnumber direct external attacks. However, the distinction can be misleading. A phishing incident may be logged as an internal error, but the resulting compromise is carried out by an external threat actor. For compliance purposes, what matters is that the vulnerability was preventable.

For smaller practices, this reinforces a key point: several of the top HIPAA threats can be mitigated through practical, low‑cost measures such as credential hygiene, phishing awareness, and routine checks of system configurations.

Strengthening Defenses Against the Top HIPAA Threats

Technical safeguards such as encryption, multi‑factor authentication (MFA), and due diligence on business associates remain essential. But these measures alone do not address the insider‑driven issues that make up many of the top HIPAA threats.

To reduce insider‑related incidents, covered entities should focus on three areas:

  • Clear policies and consistent enforcement
    Workforce members must understand appropriate access standards and the consequences of violations. A sanctions policy applied consistently is one of the most effective deterrents to snooping and misuse.
  • Access controls and monitoring
    Role‑based access, audit logs, and alerts for unusual activity help identify inappropriate access early. Many EHR systems include built‑in monitoring tools that smaller organizations can use without major investment.
  • Targeted, practical training
    HIPAA training should be scenario‑based and focused on real‑world risks such as phishing, credential handling, and appropriate access. Regular, short training sessions are more effective than annual refreshers alone.

Allocating Resources Where They Have the Most Impact

If insider activity consistently appears among the top HIPAA threats, organizations should ensure their resources reflect that reality. This does not mean deprioritizing external threats but rather recognizing that many breaches begin with internal actions that can be mitigated through practical, achievable measures.

For smaller practices and community‑based providers, strengthening controls around insider behavior is often one of the most effective ways to reduce exposure to the top HIPAA threats and improve overall compliance.

Inasmuch as the recommendations are sensible, and indeed should be followed, they fail to address the top HIPAA threats – employees. According to the recently-published IBM X-Force Threat Intelligence Report, 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious Insiders” (25%) and “inadvertent actors” (46%).

A Quarter of Healthcare Data Breaches Attributable to Malicious Insiders?

Although IBM´s Intelligence Report focuses on the number of breaches – rather than the number of records breached – the percentage of data breaches attributed to malicious insiders appears high. However, it is not the case that a quarter of the medical profession is stealing Protected Health Information for personal gain. A closer inspection of the data reveals the “malicious insiders” category includes employees snooping on the medical records of friends, colleagues, and celebrity patients.

Snooping was identified as the largest single cause of data breaches in the healthcare industry in a 2013 study conducted by Veriphyr Identity and Access Intelligence. As snooping constitutes an unauthorized disclosure of Protected Health Information, it is classified as a violation of HIPAA and therefore – by the number of violations alone – is one of the top HIPAA threats covered entities should be aware of. It is certainly a threat OCR would expect a covered entity to address in a HIPAA risk assessment.

Other Data Breaches Attributable to Malicious Insiders Tend to Attract Headlines

Whereas snooping can be the biggest cause of employee HIPAA violations by number, the biggest cause of employee HIPAA violations by records breached is insider data theft. In a recent high-profile case, a secretary employed by the Jackson Health System in Florida was charged with accessing more than 24,000 computerized patient records and selling the data to criminals, who subsequently used it to file fraudulent tax returns with the Internal Revenue Service.

A spate of high-volume data breaches around the same time prompted the HHS´ Office for Civil Rights to issue a reminder to covered entities to take action to prevent insider data theft. Unfortunately many covered entities appear not to have responded to the reminder. A survey conducted in late 2016 revealed half of healthcare IT professionals were more concerned about insider data theft than external data theft, but were not given the resources to deal with the threat.

Are Inadvertent Actors Really More of a HIPAA Threat than Cybercriminals?

According to the basic data it would appear so. However, the category of “inadvertent actors” includes victims of phishing attacks and IT professionals who fail to configure their security mechanisms properly; so it may be more accurate to rename this category “employees who inadvertently invited cybercriminals to steal data”. Nonetheless, the percentage of reported data breaches attributable to inadvertent actors is nearly twice that of external hacks.

This would imply another of the top HIPAA threats is a lack of employee awareness. Phishing is a massive threat to HIPAA compliance, but it is one that can mitigated with phishing simulation training. Similarly, errors made by IT security can be reduced by implementing procedures to review the configuration of security mechanisms on a regular basis – which should be part of an annual risk assessment in any case. Basically, data breaches due to inadvertent actors are mostly avoidable.

The Top HIPAA Threats and How to Defend Against Them

At HIPAA Journal we strongly recommend covered entities encrypt data, implement two-factor authentication and conduct due diligence on business associates. These practices – and others provided by HIPAA threat-style articles- will help defend against some HIPAA threats, but not the top HIPAA threats. In order to defend against the top HIPAA threats of snooping, insider data theft and a lack of employee awareness, covered entities need to:

  • Implement strong policies relating to employee conduct and enforce them with an equally strong sanctions policy.
  • Implement effective access controls that monitor who accesses PHI when and where, and what happens to it afterwards.
  • Implement a comprehensive HIPAA training program to raise employee awareness – particularly in the area of Internet security.

More than anything, covered entities need to allocate more resources to eliminating data breaches attributable to employee actions. If the data provided in the IBM X-Force Threat Intelligence Report is taken at face value, covered entities should allocate three times as many resources to defending against the top HIPAA threats that come from within than they allocate to external threats.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist