New research finds that when organizations describe breaches using technical terms like phishing and malware without explanation, they obscure what happened rather than help people respond.

 

What happened

A study from Flinders University in Australia has found that cybersecurity language, far from helping the public understand digital threats, often makes it harder for people to know what occurred and what to do about it. According to CyberDaily, the research, titled "Grok Hackspeak? Communicating Cybersecurity with Figurative Language," found that organizations attempting to explain cyber incidents through metaphor and figurative language frequently confuse rather than clarify. Associate Professor Sky Marsen, author of the study, found that terms like ransomware and phishing originated inside hacker culture and were never designed for public audiences. When those terms are used in breach notifications and public statements without plain-language explanation, affected individuals do not fully understand what happened to their data or how to protect themselves. The study found that when explanations were presented in clear, direct, non-metaphorical language, participants understood them much better.

 

Going deeper

The study's core finding challenges a common assumption in healthcare communications, that using familiar technical terms like phishing or malware conveys meaningful information to patients and staff receiving breach notifications. Researchers found the opposite, that these terms carry meaning within expert communities but function as jargon to everyone else. This gap has a direct practical consequence. A patient who receives a breach notification explaining they were affected by a phishing attack may not understand that an employee was tricked into handing over login credentials, that their medical records were then accessible to an unauthorized person, and that they should now monitor their insurance statements for fraudulent claims. Without that chain of explanation, the notification fulfills a legal obligation without producing any protective behavior. Researchers also found that the failed communication can inadvertently reduce the perceived responsibility of the organization involved, since vague technical language makes the breach sound like an unavoidable technical event rather than a preventable security failure.

 

What was said

Associate Professor Sky Marsen of Flinders University told CyberDaily that "these terms weren't designed for the public in the first place. They emerged from inside hacker culture, and terms that may sound creative and playful within expert communities are often opaque to outsiders. When they are used in public communication, they can obscure rather than clarify what's happening." Marsen added that "organisations routinely tell customers they've been hit by phishing or a malware attack, but if people don't fully understand what that means, they may not know how to respond or protect themselves. Worse is that unclear communication can downplay the responsibility of organisations, or leave users vulnerable."

 

In the know

The Flinders University findings echo a concern that HHS OCR has raised in its own breach notification guidance. According to the HHS Office for Civil Rights breach notification guidance, notification letters must include a description of what happened, the types of information involved, steps individuals should take to protect themselves, and contact information for affected individuals to ask questions. The regulatory requirement is for plain-language disclosure, not technical categorization. Despite that standard, breach notifications across healthcare routinely describe incidents in terms that compliance officers and security professionals understand but that patients receiving the letters may not. The gap between regulatory intent and actual notification language is precisely the problem the Flinders University research quantifies.

 

The big picture

Healthcare organizations send tens of thousands of breach notification letters every year. Those letters are often drafted by legal and compliance teams focused on meeting HIPAA's content requirements rather than on ensuring the recipient understands what to do. A letter that says an organization experienced unauthorized access due to a phishing attack targeting employee email accounts is technically compliant and practically opaque to most patients. A letter that says an employee was tricked by a fraudulent email into sharing their login details, which allowed an unauthorized person to access records containing the recipient's name, date of birth, and insurance information for a period of three weeks, gives the recipient an accurate picture of what happened and what risk they face. According to Paubox's What Healthcare Gets Wrong About HIPAA and Email Security report, only 4% of known HIPAA email violations are reported internally, a figure that shows how poorly staff understand both the threats and their own obligations, the same communication gap that the Flinders University research documents at the patient level.

 

FAQs

Why does technical jargon in breach notifications matter legally?

HIPAA's Breach Notification Rule requires notifications to be written in plain language and to include specific information that allows individuals to understand what happened and protect themselves. A notification that uses unexplained technical terms may satisfy the letter of the content requirements while failing the plain language standard, exposing the organization to regulatory criticism if OCR reviews the notification.

 

What should a plain-language breach notification actually say?

A compliant and clear notification should describe in everyday terms what the unauthorized person was able to access, how long they had access, what specific types of information were involved for the recipient, what the organization has done to stop the breach and prevent recurrence, and what concrete steps the recipient should take such as monitoring specific account types or enrolling in credit monitoring rather than simply listing data categories in legal terminology.

 

How does unclear communication reduce the perceived responsibility of the organization?

When a breach is described as a sophisticated cyberattack using technical language that sounds like an external force beyond anyone's control, recipients are less likely to hold the organization accountable for preventable failures such as weak passwords, absent multi-factor authentication, or inadequate staff training. Plain-language descriptions that explain what the organization did or failed to do shift that perception appropriately.

 

Does this problem apply to staff security awareness training as well as patient notifications?

The Flinders University research focused on public communication, but the same principle applies internally. Staff training that uses unexplained security jargon may produce employees who can recite the definition of phishing without being able to recognize a phishing email in practice. Training that explains what the attacker is actually trying to accomplish and what a fraudulent message looks like produces more protective behavior than training built around technical vocabulary.

 

What is the simplest test for whether a breach notification is written clearly enough?

Read the notification aloud to someone outside the healthcare or security field and ask them to explain what happened and what they should do. If they cannot answer both questions accurately from the letter alone, the notification needs to be rewritten before it is sent.