Study finds some future healthcare IT workers would sell data for money

New academic research points to economic pressure and perceived risk as drivers of insider privacy violations.

What happened

A new academic study examining insider cybersecurity risk found that 58 percent of surveyed college students said they would violate HIPAA and disclose patient information in exchange for money under certain conditions. The research, conducted by Lawrence Sanders of the University at Buffalo and colleagues, focused on undergraduate students in technology-related programs who represent future healthcare IT workers. Participants were asked to imagine working at a hospital, experiencing financial stress, and being offered payment to leak information about a well-known patient. Despite being informed that the behavior would violate federal health privacy law, more than half said they would proceed, with the amount required ranging from less than ten thousand dollars to more than ten million dollars, depending on salary level and perceived likelihood of being caught.

Going deeper

The study builds on earlier research from 2020 that examined how financial incentives influence willingness to violate healthcare privacy rules. In the earlier work, nearly half of the participants said they would illegally disclose medical data if offered sufficient compensation, and that number increased sharply in emotionally charged scenarios. The latest research applied economic theory and insider threat models to understand how income, opportunity, and behavioral factors shape decision-making. Researchers found that higher salaries generally increased the amount of money required to justify a violation, while lower perceived detection risk reduced hesitation. Interest in ethical hacking was also associated with lower thresholds for misconduct, particularly when participants believed enforcement was unlikely.

What was said

Jonathan Sanders said the findings challenge the idea that insider risk can be addressed through technical safeguards or policy awareness alone. In comments published by UBNow in January 2026, Sanders said, “Insider cybersecurity threats are driven as much by economic and behavioral factors as by technology.”

He said the results are particularly relevant for healthcare and other data-intensive environments, where access to sensitive information is routine. “As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls,” Sanders said.

Sanders said awareness and education can discourage misconduct, but are not sufficient on their own. “Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it,” he said, adding that “initiatives that promote economic opportunity, social inclusion, cybersecurity literacy, and a more secure digital environment are part of the solution.”

The big picture

The findings line up with what breach data has been showing for years. According to IBM’s X-Force Threat Intelligence Index, more than 70% of healthcare breaches it analyzed involved insider activity, either deliberate misuse or unintentional errors that exposed sensitive data. The report helps explain why economic pressure and perceived detection risk matter so much. Insider-driven incidents often bypass perimeter defenses entirely because access is already legitimate. A Ponemon Institute analysis published by DTEX Systems estimated that insider-related incidents in healthcare can cost as much as $16.2 million on average, factoring in breach response, regulatory penalties, operational disruption, and long-term reputational damage. Taken together, the data suggest that insider risk is not a fringe concern or a training problem alone. It is a core security and compliance issue shaped by human incentives, oversight gaps, and real-world pressures that many future healthcare IT workers may face.

FAQs

Why are insiders considered a major risk in healthcare?

Healthcare workers often have legitimate access to sensitive systems, which means misuse can occur without triggering traditional perimeter defenses.

Does knowing HIPAA rules prevent violations?

Awareness helps, but the study shows that financial pressure and perceived enforcement gaps can override legal knowledge.

Why did the salary level affect willingness to violate privacy rules?

Higher salaries increased the amount participants felt was necessary to justify the risk, while lower salaries reduced that threshold.

What part does perceived detection risk play?

Participants were more likely to disclose data when they believed the chance of being caught was low or that consequences were unlikely.

How can organizations reduce insider risk beyond training?

They can limit unnecessary access, monitor unusual behavior, enforce separation of duties, provide support during financial hardship, and clearly demonstrate enforcement of violations.