1: The Price of an Attack

The Bottom Line: Ransomware attacks rank among the most financially devastating crises a health system can face.

A 2024 ransomware attack on Ascension resulted in over $1 billion in losses, including lost revenue, remediation costs, operational disruption, and potentially a ransom payment. Ascension has not publicly disclosed how much, if anything, it paid in ransom.

Reference: STAT News, "Ascension financials show $1.3 billion cost from cyberattack," 2024.

2: When Patients Become Targets

The Bottom Line: Attacks put patients at risk of being exploited.

Within hours of an attack at Kettering Health in Ohio in 2025 becoming public, criminals called patients impersonating hospital staff and requested credit card payments for medical bills. This illustrates that a cyberattack doesn't just harm the institution; it creates opportunities for criminals to exploit individual patients, often before the health system has even begun to recover.

Reference: Healthcare IT News, "Kettering Health faces a ransomware attack and confirms a scam targeting its patients," May 2025.

3: An International Criminal Industry

The Bottom Line: The largest attacks on healthcare are carried out by sophisticated international criminal organizations.

The FBI and the American Hospital Association have been explicit that the largest healthcare cyberattacks are carried out by well-funded, professional criminal organizations operating from countries where they face little or no risk of prosecution. This is not opportunistic hacking by individuals; it is an organized criminal industry that targets hospitals deliberately because of the value of patient data and the pressure healthcare organizations face to restore services quickly.

Reference: American Hospital Association, "Ransomware Attacks on Hospitals Have Changed," John Riggi, AHA National Advisor for Cybersecurity and Risk.

4: Ransomware Kills Patients

The Bottom Line: Ransomware attacks kill patients.

Researchers at the University of Minnesota estimated that ransomware attacks resulted in a 34 to 38 percent increase in the death rate at affected institutions. That translates to between 42 and 67 Medicare patient deaths attributable to ransomware attacks between 2016 and 2021. Other patients likely also died, but the study was limited to Medicare data. To put it in practical terms: if a hospital's baseline Medicare death rate is 3 patients out of 100, a ransomware attack raises that to roughly 4 out of 100.

References: Neprash H, McGlave C, Nikpay S. "Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients." American Economic Journal: Economic Policy. 2026;18(1):256-281. Hannah Neprash, Claire McGlave, and Sayeh Nikpay, "Ransomware attacks on hospitals: Study outlines patient impact," STAT News, November 2023.

5: Collateral Damage

The Bottom Line: Ransomware attacks can even harm patients beyond the walls of the attacked hospital.

During a month-long ransomware attack on a San Diego hospital system in 2021, two neighboring hospitals absorbed a surge of diverted patients. Out-of-hospital cardiac arrest survival with favorable neurologic outcomes collapsed from 40% before the attack to just 4.5% during it. Even patients at neighboring hospitals can be harmed as a result of an attack that never touched their institution.

Reference: Pham TT, Loo TM, Malhotra A, et al. "Ransomware Cyberattack Associated With Cardiac Arrest Incidence and Outcomes at Untargeted, Adjacent Hospitals." Critical Care Explorations. 2024;6(4):e1079.

6: Outages Can Last a While

The Bottom Line: Major system outages can last weeks. Know your downtime procedures before an outage.

Ascension's EHR systems were offline for over five weeks following the May 2024 ransomware attack. During that time staff reverted to paper documentation and results reporting. Secure messaging and automated alerts disappeared. Nurses reported taking on unsafe patient loads while managing paper charting, and clinicians feared making errors. No amount of preparation can eliminate the risk of a serious system outage, so familiarize yourself with your institution's downtime procedures before you need them.

Reference: Nashville Public Radio/NPR, "Ransomware attack led to harrowing lapses at Ascension hospitals, staffers say," June 2024.

7: The Human Factor

The Bottom Line: Most data breaches involve a human mistake. That makes people like you the most important security control in your organization.

Nearly two out of three data breaches involve a non-malicious human mistake. For healthcare staff, that typically means clicking a phishing link, using a weak password, or falling for a social engineering attack. This is precisely why HIPAA requires regular security training for every employee with access to patient data.

Reference: Verizon. 2026 Data Breach Investigations Report.

8: A $50 Million Mistake

The Bottom Line: A single click on a malicious link or attachment can be the first step in bringing down an entire health system.

A 2020 phishing attack on the University of Vermont Health Network led to a month-long EHR outage across six hospitals, costing an estimated $50 million in recovery and lost revenue. The attacker's initial foothold was a malicious email attachment opened on a personal laptop. The attack then spread when that laptop reconnected to the hospital network. Phishing remains the most common initial entry point for ransomware attacks on healthcare organizations.

Reference: Vermont Digger, "UVM Health Network says cyberattack will cost at least $63 million," 2021.

9: The Voice on the Phone

The Bottom Line: Criminals convincingly impersonate physicians to manipulate staff into giving them system access.

Social engineering manipulates people rather than technology. Criminals specifically exploit the instinct of healthcare workers to prioritize patient safety, creating urgent scenarios that pressure staff into bypassing security protocols. HHS has documented this tactic as a growing threat against healthcare organizations, and it is becoming harder to detect as AI voice cloning can now replicate a person's voice convincingly. If you receive an unexpected request for system access, however urgent or convincing it sounds, be suspicious. And if a nurse or helpdesk staff member asks to verify your identity before granting access, recognize that as good security practice.

Reference: HHS Health Sector Cybersecurity Coordination Center (HC3), "Help Desk Social Engineering Sector Alert," April 2024.

10: Why Password Reuse Is Dangerous

The Bottom Line: Using your work password on outside websites puts your health system at risk.

Credential stuffing is when criminals use usernames and passwords exposed in breaches at unrelated organizations and try them against other organizations. It works because people reuse the same passwords across multiple accounts. If anyone uses the same password for a work account that they use for a shopping site, a news subscription, or any other personal account, a breach at any one of those services can give criminals access to clinical systems. Using unique passwords for work accounts is one of the simplest and most effective individual defenses available.

Reference: Steve Alder, "23andMe User Data Stolen in Credential Stuffing Attack," HIPAA Journal, 2023.

11: Unknown Devices

The Bottom Line: Never plug an unknown device into a clinical workstation.

Plugging an unknown device into a workstation, such as a USB drive or portable storage device, can automatically execute code stored on that device. That is code you never saw, never approved, and cannot control. Most people would never knowingly run unknown software on a clinical network, but that is effectively what can happen when an unknown device is connected. Criminals can exploit this by deliberately leaving USB drives where they can be found by staff. In a 2016 study, security researchers dropped 18 drives labeled with a hospital's own logo on multiple floors of a real hospital. Within 24 hours, nearly all of them had been plugged into nursing stations.

References: Threatpost, "Hospital Security Fail: Report Outlines Dangerous Shortcomings," March 2016. Wikipedia, "2008 malware infection of the United States Department of Defense."

12: When AI Becomes a HIPAA Violation

The Bottom Line: Entering patient data into an unapproved AI tool is a HIPAA violation. The full medicolegal implications are still emerging.

Entering patient information into a consumer AI tool without a signed Business Associate Agreement constitutes an impermissible disclosure of PHI under HIPAA regardless of intent. Three common assumptions are worth correcting: first, deleting the conversation does not guarantee it is gone. In fact, a 2025 federal court order required OpenAI to preserve user logs including deleted chats, and similar obligations may apply in other proceedings. Second, courts treat AI chat logs as discoverable electronic records. While case law specific to healthcare does not yet exist, AI prompts have already been subpoenaed in criminal and civil cases. Third, a malpractice subpoena targeting one staff member could expose every other staff member who entered that patient's information into an unapproved AI tool, and each instance could be a separate punishable HIPAA violation.

Reference: HIPAA Journal, "Is ChatGPT HIPAA Compliant?" 2026.

13: When Credentials Are Compromised

The Bottom Line: Everything done under your login is legally yours, regardless of who actually did it.

EHR systems log every access by individual user credential, not by the person physically at the keyboard. If your credentials are used to access records inappropriately, your name is in the log. The hospital or any attorney involved in subsequent litigation will see your name attached to every action taken. Sharing credentials extends your exposure to someone else's behavior. In 2023, attackers breached Enzo Biochem using login credentials shared among employees. Enzo paid $4.5 million in state fines and an additional $7.5 million to settle class action lawsuits. The New Jersey Attorney General called the password sharing "stunning" for a healthcare company.

Reference: New Jersey Office of Attorney General, "Attorney General Platkin and Multistate Coalition Secure $4.5 Million from Enzo Biochem," August 2024.

14: When Passwords Fail

The Bottom Line: A stolen password is not enough to break in if multifactor authentication is also required.

Microsoft analyzed hundreds of millions of accounts and found that multifactor authentication blocks over 99% of automated credential attacks. Multifactor authentication requires a second verification step beyond a password, typically a code sent to your phone, before access is granted. Congressional testimony following the 2024 Change Healthcare breach confirmed that criminals entered through a remote access portal that had no multifactor authentication. This breach exposed the records of 100 million Americans and caused over $800 million in damage.

References: CBS News, "UnitedHealth data breach caused by lack of multifactor authentication, CEO says," May 2024. HIPAA Journal, "Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks."

15: Fake Password Resets

The Bottom Line: Treat unsolicited password reset requests as attacks.

According to HHS's Health Sector Cybersecurity Coordination Center, an unsolicited password reset request is one of the most common tools criminals use to steal login credentials. The fake reset page is designed to look exactly like the real application one might use every day. The criminal is not trying to reset your password. They are trying to trick you into giving them your current one.

If you tried to log in and were prompted to reset your password, that reset is safe to follow. If a reset request arrives by email or text without you having done anything, treat it as an attack. It may look real, but it is not.

Reference: HHS Health Sector Cybersecurity Coordination Center (HC3), Phishing Sector Alert.

16: Suspicious Activity

The Bottom Line: These specific anomalies are known indicators of account compromise. Report them immediately. A false alarm costs minutes; a missed one can cost weeks.

A password that stops working without explanation, an unexpected login, or an unsolicited reset confirmation are recognized indicators of account compromise, not routine system behavior. Security teams need to know about them immediately because the window between initial compromise and significant damage can be very short. If you suspect your account may have been compromised as a result of something you clicked or opened, report that context to IT as well. Acting quickly limits the damage regardless of how it happened.

Contact your IT helpdesk at: [phone number] / [email address]

17: Accidental Disclosures

The Bottom Line: Sending patient information to the wrong person is a reportable HIPAA breach.

A misdirected message constitutes a reportable HIPAA breach that can trigger a federal investigation and financial penalties. According to the HHS Office for Civil Rights 2023 Annual Report to Congress, misdirected communications, including fax, email, and mailings, are among the most common causes of HIPAA violations resulting in settlements, with millions of dollars in penalties paid annually. Be especially careful with attached documents such as Excel spreadsheets, which may contain detailed information on hundreds of patients at once.

Reference: HHS Office for Civil Rights, "OCR Annual Report to Congress on HIPAA Compliance and Data Breaches," 2023.

18: Curiosity and Patient Records

The Bottom Line: Don't access a patient's record without a clinical reason.

Accessing patient records without a legitimate clinical reason is a HIPAA violation regardless of whether the information is shared. This is one of the most common forms of deliberate insider misconduct in healthcare, and hospitals audit record access routinely. The individual employee, not just the organization, can face personal criminal liability, job termination, and loss of their professional license. The fact that the information stayed private is not a defense. Curiosity is not a clinical reason.

In a documented federal case, a Little Rock physician pled guilty to a misdemeanor HIPAA violation after accessing the medical records of a high-profile patient out of curiosity with no financial motive. He was sentenced to one year of probation, a $5,000 fine, and 50 hours of community service educating other healthcare professionals about HIPAA.

Reference: FBI Little Rock Field Office, "Doctor and Two Former Hospital Employees Sentenced for HIPAA Violations," October 2009.

19: HIPAA Criminal Penalties

The Bottom Line: Intentional misuse of patient data is a federal crime.

HIPAA criminal penalties scale with intent. Knowingly accessing or disclosing patient information without authorization can result in up to one year in prison. Doing so under false pretenses raises that to five years. When the intent is personal gain, commercial advantage, or malicious harm, the penalties reach up to 10 years in prison and a $250,000 fine. Accidental violations are treated very differently. The law is much more forgiving of individuals who make honest mistakes.

Reference: American Medical Association, "HIPAA Violations and Enforcement."

20: The Lost or Stolen Device

The Bottom Line: Portable devices containing patient data must be encrypted.

A properly encrypted laptop is not considered a reportable HIPAA breach even if it is never recovered. Not storing patient data locally eliminates the risk entirely. Deidentified data is not considered PHI under HIPAA, so its loss does not trigger breach notification requirements. However, deidentification has strictly defined requirements under HIPAA and is not a practical option for most clinical workflows.

A stronger password alone provides minimal protection since an experienced criminal can bypass a login password and access the hard drive directly without encryption. The same principle applies to USB drives. In 2015, St. Luke's Cornwall Hospital in Newburgh, New York experienced a breach affecting 29,156 patients after an unencrypted USB thumb drive containing patient data was stolen from a restricted area of the facility.

References: HHS Office for Civil Rights, "Northwell Health's Feinstein Institute for Medical Research Pays $3.9 Million for HIPAA Violations," 2016. HIPAA Journal, "St. Luke's Cornwall Hospital Notifies 29K Patients of Data Exposure," 2016.

1: The Price of an Attack

The Bottom Line: Ransomware attacks rank among the most financially devastating crises a health system can face.

A 2024 ransomware attack on Ascension resulted in over $1 billion in losses, including lost revenue, remediation costs, operational disruption, and potentially a ransom payment. Ascension has not publicly disclosed how much, if anything, it paid in ransom.

Reference: STAT News, "Ascension financials show $1.3 billion cost from cyberattack," 2024.

2: When Patients Become Targets

The Bottom Line: Attacks put patients at risk of being exploited.

Within hours of an attack at Kettering Health in Ohio in 2025 becoming public, criminals called patients impersonating hospital staff and requested credit card payments for medical bills. This illustrates that a cyberattack doesn't just harm the institution; it creates opportunities for criminals to exploit individual patients, often before the health system has even begun to recover.

Reference: Healthcare IT News, "Kettering Health faces a ransomware attack and confirms a scam targeting its patients," May 2025.

3: An International Criminal Industry

The Bottom Line: The largest attacks on healthcare are carried out by sophisticated international criminal organizations.

The FBI and the American Hospital Association have been explicit that the largest healthcare cyberattacks are carried out by well-funded, professional criminal organizations operating from countries where they face little or no risk of prosecution. This is not opportunistic hacking by individuals; it is an organized criminal industry that targets hospitals deliberately because of the value of patient data and the pressure healthcare organizations face to restore services quickly.

Reference: American Hospital Association, "Ransomware Attacks on Hospitals Have Changed," John Riggi, AHA National Advisor for Cybersecurity and Risk.

4: Ransomware Kills Patients

The Bottom Line: Ransomware attacks kill patients.

Researchers at the University of Minnesota estimated that ransomware attacks resulted in a 34 to 38 percent increase in the death rate at affected institutions. That translates to between 42 and 67 Medicare patient deaths attributable to ransomware attacks between 2016 and 2021. Other patients likely also died, but the study was limited to Medicare data. To put it in practical terms: if a hospital's baseline Medicare death rate is 3 patients out of 100, a ransomware attack raises that to roughly 4 out of 100.

References: Neprash H, McGlave C, Nikpay S. "Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients." American Economic Journal: Economic Policy. 2026;18(1):256-281. Hannah Neprash, Claire McGlave, and Sayeh Nikpay, "Ransomware attacks on hospitals: Study outlines patient impact," STAT News, November 2023.

5: Collateral Damage

The Bottom Line: Ransomware attacks can even harm patients beyond the walls of the attacked hospital.

During a month-long ransomware attack on a San Diego hospital system in 2021, two neighboring hospitals absorbed a surge of diverted patients. Out-of-hospital cardiac arrest survival with favorable neurologic outcomes collapsed from 40% before the attack to just 4.5% during it. Even patients at neighboring hospitals can be harmed as a result of an attack that never touched their institution.

Reference: Pham TT, Loo TM, Malhotra A, et al. "Ransomware Cyberattack Associated With Cardiac Arrest Incidence and Outcomes at Untargeted, Adjacent Hospitals." Critical Care Explorations. 2024;6(4):e1079.

6: Outages Can Last a While

The Bottom Line: Major system outages can last weeks. Know your downtime procedures before an outage.

Ascension's EHR systems were offline for over five weeks following the May 2024 ransomware attack. During that time staff reverted to paper documentation and results reporting. Secure messaging and automated alerts disappeared. Nurses reported taking on unsafe patient loads while managing paper charting, and clinicians feared making errors. No amount of preparation can eliminate the risk of a serious system outage, so familiarize yourself with your institution's downtime procedures before you need them.

Reference: Nashville Public Radio/NPR, "Ransomware attack led to harrowing lapses at Ascension hospitals, staffers say," June 2024.

7: The Human Factor

The Bottom Line: Most data breaches involve a human mistake. That makes people like you the most important security control in your organization.

Nearly two out of three data breaches involve a non-malicious human mistake. For healthcare staff, that typically means clicking a phishing link, using a weak password, or falling for a social engineering attack. This is precisely why HIPAA requires regular security training for every employee with access to patient data.

Reference: Verizon. 2026 Data Breach Investigations Report.

8: A $50 Million Mistake

The Bottom Line: A single click on a malicious link or attachment can be the first step in bringing down an entire health system.

A 2020 phishing attack on the University of Vermont Health Network led to a month-long EHR outage across six hospitals, costing an estimated $50 million in recovery and lost revenue. The attacker's initial foothold was a malicious email attachment opened on a personal laptop. The attack then spread when that laptop reconnected to the hospital network. Phishing remains the most common initial entry point for ransomware attacks on healthcare organizations.

Reference: Vermont Digger, "UVM Health Network says cyberattack will cost at least $63 million," 2021.

9: The Voice on the Phone

The Bottom Line: Criminals convincingly impersonate physicians to manipulate staff into giving them system access.

Social engineering manipulates people rather than technology. Criminals specifically exploit the instinct of healthcare workers to prioritize patient safety, creating urgent scenarios that pressure staff into bypassing security protocols. HHS has documented this tactic as a growing threat against healthcare organizations, and it is becoming harder to detect as AI voice cloning can now replicate a person's voice convincingly. If you receive an unexpected request for system access, however urgent or convincing it sounds, be suspicious. And if a nurse or helpdesk staff member asks to verify your identity before granting access, recognize that as good security practice.

Reference: HHS Health Sector Cybersecurity Coordination Center (HC3), "Help Desk Social Engineering Sector Alert," April 2024.

10: Why Password Reuse Is Dangerous

The Bottom Line: Using your work password on outside websites puts your health system at risk.

Credential stuffing is when criminals use usernames and passwords exposed in breaches at unrelated organizations and try them against other organizations. It works because people reuse the same passwords across multiple accounts. If anyone uses the same password for a work account that they use for a shopping site, a news subscription, or any other personal account, a breach at any one of those services can give criminals access to clinical systems. Using unique passwords for work accounts is one of the simplest and most effective individual defenses available.

Reference: Steve Alder, "23andMe User Data Stolen in Credential Stuffing Attack," HIPAA Journal, 2023.

11: Unknown Devices

The Bottom Line: Never plug an unknown device into a clinical workstation.

Plugging an unknown device into a workstation, such as a USB drive or portable storage device, can automatically execute code stored on that device. That is code you never saw, never approved, and cannot control. Most people would never knowingly run unknown software on a clinical network, but that is effectively what can happen when an unknown device is connected. Criminals can exploit this by deliberately leaving USB drives where they can be found by staff. In a 2016 study, security researchers dropped 18 drives labeled with a hospital's own logo on multiple floors of a real hospital. Within 24 hours, nearly all of them had been plugged into nursing stations.

References: Threatpost, "Hospital Security Fail: Report Outlines Dangerous Shortcomings," March 2016. Wikipedia, "2008 malware infection of the United States Department of Defense."

12: When AI Becomes a HIPAA Violation

The Bottom Line: Entering patient data into an unapproved AI tool is a HIPAA violation. The full medicolegal implications are still emerging.

Entering patient information into a consumer AI tool without a signed Business Associate Agreement constitutes an impermissible disclosure of PHI under HIPAA regardless of intent. Three common assumptions are worth correcting: first, deleting the conversation does not guarantee it is gone. In fact, a 2025 federal court order required OpenAI to preserve user logs including deleted chats, and similar obligations may apply in other proceedings. Second, courts treat AI chat logs as discoverable electronic records. While case law specific to healthcare does not yet exist, AI prompts have already been subpoenaed in criminal and civil cases. Third, a malpractice subpoena targeting one staff member could expose every other staff member who entered that patient's information into an unapproved AI tool, and each instance could be a separate punishable HIPAA violation.

Reference: HIPAA Journal, "Is ChatGPT HIPAA Compliant?" 2026.

13: When Credentials Are Compromised

The Bottom Line: Everything done under your login is legally yours, regardless of who actually did it.

EHR systems log every access by individual user credential, not by the person physically at the keyboard. If your credentials are used to access records inappropriately, your name is in the log. The hospital or any attorney involved in subsequent litigation will see your name attached to every action taken. Sharing credentials extends your exposure to someone else's behavior. In 2023, attackers breached Enzo Biochem using login credentials shared among employees. Enzo paid $4.5 million in state fines and an additional $7.5 million to settle class action lawsuits. The New Jersey Attorney General called the password sharing "stunning" for a healthcare company.

Reference: New Jersey Office of Attorney General, "Attorney General Platkin and Multistate Coalition Secure $4.5 Million from Enzo Biochem," August 2024.

14: When Passwords Fail

The Bottom Line: A stolen password is not enough to break in if multifactor authentication is also required.

Microsoft analyzed hundreds of millions of accounts and found that multifactor authentication blocks over 99% of automated credential attacks. Multifactor authentication requires a second verification step beyond a password, typically a code sent to your phone, before access is granted. Congressional testimony following the 2024 Change Healthcare breach confirmed that criminals entered through a remote access portal that had no multifactor authentication. This breach exposed the records of 100 million Americans and caused over $800 million in damage.

References: CBS News, "UnitedHealth data breach caused by lack of multifactor authentication, CEO says," May 2024. HIPAA Journal, "Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks."

15: Fake Password Resets

The Bottom Line: Treat unsolicited password reset requests as attacks.

According to HHS's Health Sector Cybersecurity Coordination Center, an unsolicited password reset request is one of the most common tools criminals use to steal login credentials. The fake reset page is designed to look exactly like the real application one might use every day. The criminal is not trying to reset your password. They are trying to trick you into giving them your current one.

If you tried to log in and were prompted to reset your password, that reset is safe to follow. If a reset request arrives by email or text without you having done anything, treat it as an attack. It may look real, but it is not.

Reference: HHS Health Sector Cybersecurity Coordination Center (HC3), Phishing Sector Alert.

16: Suspicious Activity

The Bottom Line: These specific anomalies are known indicators of account compromise. Report them immediately. A false alarm costs minutes; a missed one can cost weeks.

A password that stops working without explanation, an unexpected login, or an unsolicited reset confirmation are recognized indicators of account compromise, not routine system behavior. Security teams need to know about them immediately because the window between initial compromise and significant damage can be very short. If you suspect your account may have been compromised as a result of something you clicked or opened, report that context to IT as well. Acting quickly limits the damage regardless of how it happened.

Contact your IT helpdesk at: [phone number] / [email address]

17: Accidental Disclosures

The Bottom Line: Sending patient information to the wrong person is a reportable HIPAA breach.

A misdirected message constitutes a reportable HIPAA breach that can trigger a federal investigation and financial penalties. According to the HHS Office for Civil Rights 2023 Annual Report to Congress, misdirected communications, including fax, email, and mailings, are among the most common causes of HIPAA violations resulting in settlements, with millions of dollars in penalties paid annually. Be especially careful with attached documents such as Excel spreadsheets, which may contain detailed information on hundreds of patients at once.

Reference: HHS Office for Civil Rights, "OCR Annual Report to Congress on HIPAA Compliance and Data Breaches," 2023.

18: Curiosity and Patient Records

The Bottom Line: Don't access a patient's record without a clinical reason.

Accessing patient records without a legitimate clinical reason is a HIPAA violation regardless of whether the information is shared. This is one of the most common forms of deliberate insider misconduct in healthcare, and hospitals audit record access routinely. The individual employee, not just the organization, can face personal criminal liability, job termination, and loss of their professional license. The fact that the information stayed private is not a defense. Curiosity is not a clinical reason.

In a documented federal case, a Little Rock physician pled guilty to a misdemeanor HIPAA violation after accessing the medical records of a high-profile patient out of curiosity with no financial motive. He was sentenced to one year of probation, a $5,000 fine, and 50 hours of community service educating other healthcare professionals about HIPAA.

Reference: FBI Little Rock Field Office, "Doctor and Two Former Hospital Employees Sentenced for HIPAA Violations," October 2009.

19: HIPAA Criminal Penalties

The Bottom Line: Intentional misuse of patient data is a federal crime.

HIPAA criminal penalties scale with intent. Knowingly accessing or disclosing patient information without authorization can result in up to one year in prison. Doing so under false pretenses raises that to five years. When the intent is personal gain, commercial advantage, or malicious harm, the penalties reach up to 10 years in prison and a $250,000 fine. Accidental violations are treated very differently. The law is much more forgiving of individuals who make honest mistakes.

Reference: American Medical Association, "HIPAA Violations and Enforcement."

20: The Lost or Stolen Device

The Bottom Line: Portable devices containing patient data must be encrypted.

A properly encrypted laptop is not considered a reportable HIPAA breach even if it is never recovered. Not storing patient data locally eliminates the risk entirely. Deidentified data is not considered PHI under HIPAA, so its loss does not trigger breach notification requirements. However, deidentification has strictly defined requirements under HIPAA and is not a practical option for most clinical workflows.

A stronger password alone provides minimal protection since an experienced criminal can bypass a login password and access the hard drive directly without encryption. The same principle applies to USB drives. In 2015, St. Luke's Cornwall Hospital in Newburgh, New York experienced a breach affecting 29,156 patients after an unencrypted USB thumb drive containing patient data was stolen from a restricted area of the facility.

References: HHS Office for Civil Rights, "Northwell Health's Feinstein Institute for Medical Research Pays $3.9 Million for HIPAA Violations," 2016. HIPAA Journal, "St. Luke's Cornwall Hospital Notifies 29K Patients of Data Exposure," 2016.