HIPAA Violations For Profit: Why Cyber Liability Teams Should Worry

by

Estimated reading time: 6 minutes

A research paper raises a direct question about HIPAA: How much money would it take for someone to break privacy rules? The findings should concern cyber liability teams. Researchers discovered that 58% of participants named a price they would accept to violate HIPAA. While many cyber incidents start with mistakes, this study highlights a different problem for healthcare cybersecurity: insider risk, greed, and intentional decisions.

A Market Price For Violating HIPAA

The authors explored what motivates people to break privacy laws. They looked at economic incentives, income, interest in ethical hacking, and fear of getting caught. Their model draws from crime economics, prospect theory, and the COM-B behavior framework.

The researchers surveyed 523 people about to start their careers. Of these, 306 (58%) said they would accept money to break HIPAA rules. The amounts ranged from nothing to over $10 million.

Warnings about getting caught did not stop everyone. Many participants still negotiated a price even when they thought they might be caught. This shows the need for better security training and more careful risk assessments.

HIPAA insider threat concept image showing a patient file folder stamped HIPAA with a price tag, illustrating healthcare data theft risk, cybersecurity exposure, and cyber liability insurance concerns.

Healthcare Breaches Still Pay

The authors put their study in the context of current healthcare risks. They mention a survey where almost 60% of 400 healthcare organizations faced ransomware attacks in 2024. Recovery often took weeks or even months.

They also reference the FBI’s estimate that internet crimes caused over $10.3 billion in losses in 2022. The authors describe cybercrime as a growing global problem.

Next, they discuss insider threats. Research shows that insiders cause about a third of breaches. There was also a 25% increase in insider incidents when more people worked remotely.

The main point is clear: human behavior is a major risk factor. Both carelessness and intent play important roles.

See also  What Does SEC's New Cyber and Emerging Technologies Unit (CETU) Mean for Cyber Regulations?
Crime Economics Meets Security Culture

The paper uses the COM-B model to explain why insiders act as they do. COM-B connects behavior to a person’s ability, opportunity, and motivation. The authors see hacking as a choice made within certain limits.

They also use deterrence theory, which says people balance possible rewards against the risk of being caught. The paper points out that harsher punishments do not always have the same effect in different studies.

Prospect theory adds another layer. People often misunderstand probabilities. They tend to exaggerate small risks and downplay large ones.

The paper uses a pop culture example, citing “Jaws” as a lesson in how people misjudge risk.

“The Jaws movie had a profound influence on perceptions of shark attacks and, indeed, caused widespread panic, although the risk of attack is very low. Even today, many people remain reluctant to swim in the ocean due to the movie.”

Salary, Skills, And Apprehension

The authors outline clear expectations. A higher salary should raise the required bribe. More white-hat interest should reduce the required bribe.

They also test a controversial link. They ask whether white-hat interest correlates with gray-hat and black-hat interest. Additionally, they test that link under “assured they will not get caught” conditions.

Finally, they look at how fear of getting caught affects decisions. If someone thinks they are more likely to be caught, they will demand more money. This fits with traditional deterrence theory.

WATCH – Healthcare Cyber Insurance: NIST Framework Adoption Reduces Premiums by 33%

The “Famous Patient” Insider Scenario

The researchers created a scenario in a hospital. Each participant acts as a computer support worker facing financial problems. A friend from a media company asks them for information about a “very famous patient.”

See also  Envelop Risk Launches Envelop Underwriting, Appoints Dom Peters as CEO

In the scenario, salaries are set at $30,000, $55,000, or $100,000. Participants are then asked what amount of money would make them agree to share the information. This setup helps researchers see how income affects decisions.

The Price Points Look Like A Real Marketplace

The results show different risk levels. Ten percent would sell information for less than $10,000. Eight percent would do it for between $10,000 and $99,999.

Twenty percent would sell for $100,000 to $999,999, and another twenty percent would only do it for more than $1 million. Meanwhile, forty-one percent said they would never sell, no matter what.

Deterrence is not always effective, which leaves organizations at risk. The paper points out that 13% of people thought there was a 93% chance of being caught but still gave a price. Security leaders should be concerned, as there is no absolute safety.

The authors deliver a line that sounds like a claims adjuster’s summary. “Ultimately, there is always a price.” That sentence captures the risk for privacy-driven industries.

The paper also compares its results to a 2020 study, which found that 46% would take money in some situations. The current study shows even more people are willing.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

Controls That Matter To Cyber Insurance

The paper offers control recommendations based on organization size. It suggests regular monitoring, clear deterrence measures, and frequent simulations. For larger companies, it highlights the use of SIEM and behavioral analytics.

Smaller companies receive practical tips. Leaders should strengthen ethical standards by staying close to their teams and using real-life scenarios. Startups can encourage employees to report problems by offering rewards, similar to a “bug bounty.”

See also  New Cyber Loss Index Tracks Systemic Incidents Impacting the Cyber Insurance Industry

Table IV reads like a cyber-insurance controls checklist. Identify critical assets. Formalize procedures for external, internal, and third-party risks. Identify vulnerabilities and prioritize fixes. Implement controls and training. Monitor and review the program.

The paper also frames privacy as power. It quotes Tim Cook: “Our own information is being weaponized against us.” That quote fits the insider-risk frame.

A Human Risk Problem With Pricing Data

For cyber insurance, the key insight is in the pricing. Some insiders behave like rational bidders. Higher salaries and a greater chance of being caught both lead to higher demands.

However, fear by itself does not stop people from being willing to break the rules. This ongoing problem leads to real losses. Underwriters should realize that training alone is not enough. Controls need to limit opportunities and make detection more certain. Company culture must also work to lower motivation.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×