Studies show workforce actions continue to shape breach outcomes

Healthcare data breaches are often described as the result of hacking campaigns or sophisticated cybercriminal activity. Breach disclosures and enforcement records, however, continue to show that many incidents begin with routine staff actions rather than technical failures. Email use, credential handling, file sharing, and everyday workarounds frequently appear early in breach timelines, long before an attacker is identified.

Research examining healthcare cybersecurity consistently places people alongside technology and process as a primary source of exposure. A scoping review of healthcare cybersecurity literature framed the issue in practical terms, noting that vulnerabilities do not arise from tools alone, but from how systems are used in real clinical environments. The authors wrote that “the review of the extant literature confirmed the 3 factors of vulnerabilities to cyberattacks (technology, humans, and processes) from the lens of the STS theory in health care systems.”

Rather than describing rare or extreme behavior, the research focuses on ordinary activity. Healthcare staff work under time pressure, handle sensitive information continuously, and rely on digital communication to keep operations moving. Within that context, small missteps can quickly scale into reportable exposure.

Insider activity often starts with routine behavior

Insider risk in healthcare is often associated with malicious intent, such as unauthorized record access or data theft. Research shows that unintentional actions account for a large share of exposure, particularly when email and shared systems are involved.

The same scoping review described how risk is introduced through everyday conduct, stating that “insiders can introduce threats and vulnerabilities through inadvertent actions, such as inappropriate behavior, clicking phishing links, and falling victim to cyber threats.”

These findings align with how breaches are described in regulatory disclosures, where investigations often trace incidents back to a staff interaction rather than a system flaw. Training gaps appear repeatedly in these analyses. Researchers observed that “health care cybersecurity training implementations are largely misdirected, with a focus on cybersecurity professionals and information and communication technology (ICT) departments only, while neglecting health care–based professionals.”

The misdirected focus matters because frontline staff are the ones interacting with email, attachments, portals, and patient information throughout the day. When training and safeguards do not reflect that reality, exposure becomes more likely.

Breach data continues to point back to people

Quantitative analysis of healthcare breach reporting reinforces the role of human action. A peer-reviewed study examining breach data from the U.S. Department of Health and Human Services analyzed incidents over five years and found that human-driven issues were associated with disproportionate impact.

The authors explained their findings directly: “Using data from the United States Department of Health and Human Services, we conducted an exploratory analysis of past data breaches in healthcare organizations from January 2015 to December 2020 to explore the extent to which human elements played a role in data security incidents. We found that a vast majority of health records were compromised due to poor human security. The mean number of records affected by a breach due to unintentional insider threats is more than twice that of breaches caused by malicious intent, such as external cyberattacks and theft. Our findings also indicate that, on average, more patient records are compromised from falling for a phishing scam than any other reason.”

The study also examined why safe behavior breaks down in practice. Rather than framing mistakes as individual failure, the authors pointed to working conditions, writing that “barriers to safe cybersecurity practices among staff that emerged from the qualitative analysis included: a lack of training and education; heavy workloads and staff fatigue; perceived lack of IT support and poor IT infrastructure.”

These conditions appear repeatedly in healthcare environments, particularly where staffing shortages and operational pressure limit the margin for error.

How “insider activity” appears in threat reporting

Threat intelligence reporting shows this broader definition of insider activity. In the analysis of healthcare breach trends, insider risk is often defined to include both misuse and error.

One summary of breach drivers states: According to IBM’s X-Force Threat Intelligence Index, more than 70% of healthcare breaches analyzed were linked to insider activity, either intentional misuse or unintentional errors that enabled access to sensitive data.

The framing mirrors how many incidents unfold. A phishing email or misdirected message may begin as a staff action, after which unauthorized access expands the scope of exposure. Once an external actor becomes involved, incidents are often categorized as hacking, even though the initial access occurred through routine use of email.

Read also: What is a phishing attack?

Real-world incidents follow the same pattern

Reporting on healthcare breaches reflects these dynamics. In litigation tied to an email compromise at EyeMed Vision Care, reporting described how access to employee email accounts led to large-scale exposure and a $5 million settlement. Coverage of the Ascension cyberattack similarly traced the incident back to an employee downloading a malicious file, which affected 13.4 million individuals and allowed ransomware to spread through internal systems.

Other reporting has documented exposure resulting from misconfigured servers, unsecured databases, and files uploaded to public platforms, including cases where dental providers and healthcare organizations inadvertently left millions of records accessible online. In one such case, reporting found roughly 2.7 million patient profiles and 8.8 million appointment records exposed. More recent coverage has also examined healthcare workers uploading sensitive information into generative AI tools, raising new questions about how everyday digital habits intersect with HIPAA obligations.

Across these incidents, the triggering action was simple. In most cases, it involved normal work performed under pressure, using tools staff relied on daily.

Why email keeps appearing in breach narratives

Email remains central to healthcare operations. Scheduling, referrals, billing questions, attachments, and internal coordination frequently pass through inboxes. That ubiquity helps explain why email accounts and messages appear so often in breach disclosures.

Paubox research and reporting consistently find phishing as a primary method used to obtain credentials or deliver malware. Once an inbox is compromised, messages, attachments, and stored conversations can expose far more information than a single file or record.

Email also creates scale. A misdirected message, forwarded attachment, or reused credential can move beyond the original sender quickly, expanding exposure before the issue is detected.

Smaller organizations face the same pressures with fewer buffers

Smaller healthcare organizations experience these risks differently, but not less frequently. Analysis focused on small and midsize providers notes that phishing and spoofing affect organizations regardless of size.

The Paubox SMB report states: “Phishing is the leading cause of healthcare breaches. As of 2024, over 70% of healthcare data breaches originated from phishing attacks. These attacks don’t discriminate by size; in fact, 43% of SMB healthcare orgs reported experiencing a phishing or spoofing incident in the past year.”

The same report identified gaps in post-incident visibility, noting that “20% of SMBs don’t utilize any form of email archiving or audit trail, leaving 1 in 5 unable to investigate incidents after they happen.”

Without clear records, organizations may struggle to demonstrate what information was protected, how exposure occurred, or how quickly it was contained.

Controls limit how far mistakes travel

No system removes human error entirely. Controls shape the outcome when errors occur. Reporting and regulatory guidance often focus on whether safeguards were in place to limit exposure and support investigation.

As the Paubox SMB report shares, “Confidence without clarity is what gets organizations breached. We don’t just need encryption, we need evidence.”

Email security measures such as automatic encryption, access controls, audit trails, and incident logging do not change staff behavior, but they can reduce the scale of exposure and provide documentation when regulators or affected individuals ask what happened.

Paubox appears in this context as one example of an email control layer designed to protect messages in transit and support audit requirements when communication errors occur.

Read more: Paubox Inbound Email Security | Generative AI email security

FAQs

Why do staff actions appear so often in HIPAA breach reporting?

Research found that “a vast majority of health records were compromised due to poor human security,” with unintentional insider actions affecting more records on average than external attacks.

Are phishing incidents considered insider-related breaches?

When a staff action enables unauthorized access, threat reporting, and regulators often classify the incident as insider-linked, even if external actors later expand the breach.

Do small healthcare organizations face the same risks as large systems?

Yes. Reports show phishing affects organizations regardless of size, with many SMBs lacking audit trails to investigate incidents after they occur.

Can technical tools prevent all workforce-related breaches?

Research does not suggest that tools eliminate mistakes. Controls influence how far an error spreads and how clearly organizations can document their response.