58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price
A recent study exploring insider cybersecurity threats revealed that a majority of college students would be willing to violate the HIPAA Rules and steal and disclose patient data if they were paid to do so, provided the price was right. The amount of money required ranged from less than $10,000 to more than $10 million. The study was conducted by Lawrence Sanders, professor emeritus, University of Buffalo, Department of Management Science and Systems, and colleagues at the School of Management, and builds on a 2020 study that explored the price of healthcare privacy violations.
The 2020 study, published in JMIR Medical Informatics, was conducted on 523 students (average age of 21) who were about to enter the workforce. The respondents were asked to imagine that they had been employed by a hospital, and were given five scenarios in which they were asked if they would illegally obtain and disclose sensitive health information. 46% of respondents admitted that they would violate HIPAA and patient privacy if the price was right. In one of the scenarios, study participants were asked if they would obtain and disclose a politician’s medical records in exchange for $100,000, if the money was needed to pay for an experimental treatment for their mother that insurance wouldn’t cover. 79% of respondents said they would.
The follow-up study, which focused on cybersecurity insiders, was conducted on 500 undergraduate college students in technology-related programs, who represented future IT workers in the healthcare industry. They were asked to imagine they had been employed by a hospital, were being paid between $30,000 and $100,000, and were under financial stress and had been approached and asked to obtain and leak information about a famous patient at the hospital.
They were informed about HIPAA and how the federal law prohibited unauthorized access and disclosure of protected health information, yet 58% said they would violate HIPAA in exchange for payment. The amount of money required was less than $10,000 in some cases, and whether they would be tempted – and the amount required – varied depending on the employee’s salary leveland the perceived probability of being caught. The higher the employee’s salary, the more money was required to violate HIPAA and steal data. Individuals who had an interest in ethical hacking generally required less money to violate HIPAA, as was the case with individuals with an interest in unethical hacking, if they were assured that they would not be caught.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The study highlights the risk of insider data breaches and the importance of training on the HIPAA Privacy Rule requirements and the consequences of HIPAA violations, making it clear to all workers that if violations are discovered, the consequences of HIPAA violations can be severe.
“As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls,” said Professor Sanders. “Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it. Initiatives that promote economic opportunity, social inclusion, cybersecurity literacy and a more secure digital environment are part of the solution.”
