Data breaches can occur for a variety of reasons, often resulting from weaknesses in technology, security processes, or human behavior. While cyberattacks by external threat actors receive attention, breaches may also result from preventable issues such as employee mistakes, poor password practices, or misconfigured systems. Healthcare organizations, in particular, face unique challenges because they rely on interconnected technologies, third-party vendors, and large volumes of sensitive patient information. Knowing what causes data breaches helps organizations improve their security practices and better protect sensitive patient and business information.
Common causes
Cyberattacks
Phishing
Phishing is one of the most common cyberattacks, where fraudsters trick users into providing sensitive information like passwords or financial details. According to the Paubox report, What small healthcare practices get wrong about HIPAA and email security, “As of 2024, over 70% of healthcare data breaches originated from phishing attacks.” These attacks often come in the form of fake emails or messages that appear to be from trusted sources. For example, healthcare AI company Xsolis disclosed a data breach affecting approximately 1.4 million individuals after an employee fell victim to a phishing email. The compromised account gave an attacker unauthorized access to the company's systems, demonstrating how a single phishing attack can expose large volumes of sensitive healthcare data.
Malware
Malicious software, including viruses, ransomware, and spyware, can compromise systems and extract data. A 2024 survey of global Chief Information Security Officers (CISOs) identified ransomware attacks as a top cybersecurity risk, with 41% citing it among the top three significant threats. Furthermore, Paubox's 2025 Healthcare Email Security Report notes that “Since 2018, ransomware attacks on healthcare organizations have surged by 264%.”
In recent news, the Qilin ransomware group gained access to Covenant Health's IT environment and remained undetected for eight days. The attack exposed the records of 478,188 patients across St. Joseph Hospital of Nashua, St. Joseph Healthcare in Bangor, and St. Mary's Health System in Lewiston.
Hacking
Hacking is the exploitation of vulnerabilities in software, networks, or systems to gain unauthorized access. According to data from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), 220 of the 252 large healthcare data breaches reported between January 1 and April 30, 2026, were classified as hacking or IT incidents, accounting for approximately 87% of all reported breaches.
Credential stuffing
Credential stuffing occurs when cybercriminals use stolen usernames and passwords, often obtained from previous data breaches, to try to access accounts on different websites or systems. This type of attack exploits the fact that many users reuse the same login credentials across multiple platforms, making it easier for attackers to break into a wide range of accounts once they have access to a set of valid credentials.
Insider threats
Malicious insiders
Employees or contractors who intentionally steal or expose data. According to America’s Cyber Defence Agency, “intentional threats are actions taken to harm an organization for personal benefit or to act on a personal grievance. For example, many insiders are motivated to “get even” due to a perceived lack of recognition (e.g., promotion, bonuses, desirable travel) or termination.”
Negligent insiders
Unintentional actions, such as misplacing devices or mishandling sensitive information. “Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization,” writes the America’s Cyber Defence Agency.
Third-party vendors
Third-party vendors can also become a point of entry for cyberattacks. Organizations often share sensitive data with cloud providers, software vendors, and other service providers, meaning a security incident affecting one vendor can impact multiple customers. For example, in June 2026, market intelligence platform Klue disclosed that hackers had breached its systems using a compromised legacy credential, allowing them to access customer cloud environments and steal data belonging to several organizations, including cybersecurity firms such as Huntress, HackerOne, Jamf, Recorded Future, and Tanium.
System vulnerabilities
Unpatched software
Failing to update software with the latest security patches leaves systems vulnerable to exploitation. Software vendors routinely release patches and updates to fix known security flaws, enhance functionality, and improve system stability. However, when organizations neglect to apply these updates, they expose themselves to preventable risks.
Misconfigured systems
Incorrect settings in databases, cloud storage, or servers can make data accessible to unauthorized users. This can happen when default security settings are not updated, access controls are too permissive, or sensitive data is stored in locations without proper encryption. For example, misconfigured cloud storage can result in publicly accessible databases or files that should be restricted to certain users, allowing cybercriminals to access or steal data.
Physical security breaches
Lost or stolen devices
Devices like laptops, smartphones, and USB drives can easily be lost or stolen, potentially exposing sensitive data. The introduction of Bring Your Own Device (BYOD) policies, meant that employees were increasingly using personal devices to access company data and systems. While BYOD offers flexibility and convenience, it also introduces significant security risks, particularly when devices are lost or stolen.
Unauthorized physical access
Intruders gaining access to on-site servers or data centers can lead to unauthorized access and thus a data breach.
Human error
Human error is a common cause of healthcare data breaches. Simple mistakes, such as clicking a phishing link, sending PHI to the wrong recipient, using weak passwords, or misconfiguring cloud storage, can expose sensitive patient information. For example, the 2026 Xsolis breach affected approximately 1.4 million individuals after an employee fell victim to a phishing email. Regular security training, phishing awareness programs, and safeguards such as multi-factor authentication can help reduce the risk of these preventable breaches.
Social engineering
Social engineering techniques, such as impersonation or baiting, manipulate individuals into divulging confidential information. For example, vishing (voice phishing) has been used to trick individuals into providing banking information or login credentials over the phone, posing a significant security risk.
Natural disasters
Events like floods, fires, or earthquakes can cause severe damage to physical infrastructure, including servers, data centers, and other critical systems. In addition to disrupting operations, these disasters can lead to data exposure if organizations do not have adequate disaster recovery plans in place.
IoT Device Vulnerabilities
Poorly secured Internet of Things (IoT) devices can be exploited to access broader networks. Many IoT devices are designed with minimal security features, and their default settings, such as weak passwords or outdated firmware, make them easy targets for attackers. Once compromised, these devices can be used to infiltrate other connected systems, steal sensitive data, or launch further attacks.
Supply chain attacks
Breaches originating from vulnerabilities in suppliers’ or partners’ systems occur when a vendor or business partner’s weak security measures are exploited, leading to the exposure of an organization’s sensitive data.
Earlier this year, GitHub investigated a breach claimed by the TeamPCP threat group after a compromised employee device was reportedly used to access more than 3,800 internal repositories, highlighting the risks posed by attacks on trusted technology providers.
Unauthorized API access
Poorly secured application programming interfaces (APIs) can be a major vulnerability, allowing attackers to extract sensitive data or even gain unauthorized access to systems. APIs are the bridges that allow different software applications to communicate with one another, and they are critical to modern business operations. However, if APIs are not properly secured, they can expose data, enable unauthorized actions, or even allow attackers to manipulate underlying systems.
See also: HIPAA Compliant Email: The Definitive Guide
Related: Tips on proactive data breach prevention for small healthcare practices
FAQS
How do data breaches impact individuals?
Individuals may experience identity theft, financial fraud, or privacy violations due to stolen personal data.
Can insurance cover the cost of a data breach?
Yes, cyber liability insurance can cover costs such as legal fees, notification expenses, and financial losses caused by a breach
