WANAN YOSSINGKUM/istock via Gett
Insider threats: How health systems can stop EHR snooping
Cyber threats can come from within a hospital's workforce, and proper training is required to stop them from stealing valuable patient data in electronic health records.
Data breaches in hospitals don't always come from malicious remote cybercriminals. Insider threats from fellow clinicians down the hall can also jeopardize the security of protected health information in EHRs, with a tactic known as EHR snooping. EHR snooping occurs when a healthcare worker inappropriately accesses patient records unrelated to their job function.
EHR snooping can be motivated by curiosity or negligence. Non-malicious insiders might be careless and inattentive when sharing data, or they just make genuine mistakes. Meanwhile, malicious insiders intend to cause harm. Some EHR snooping is motivated by a desire to steal or sell patient data.
Stealing and selling health records could lead to identity theft, in which cybercriminals access insurance information and file fraudulent claims.
Whether it's intentional or not, inappropriate EHR access violates the Health Insurance Portability and Accountability Act, which can damage the reputation of health systems as well as bring termination and legal fines.
Health systems encounter EHR snooping and negligence
In 2021, Huntington Hospital, a Northwell Health facility in Huntington, New York, sent notices to around 13,000 patients informing them that a night-shift employee had violated its policies by improperly accessing EHR info. The employee was suspended and terminated.
Incidents like this are common.
In January 2025, Eastern Idaho Public Health reported a data breach in which an employee may have accessed unauthorized protected health information. During the investigation, the health system reviewed access logs and revealed that patient clinic notes were accessed. Eastern Idaho said it did not consider the breach malicious, and no patient data had been misused. The health system did terminate the staff member involved.
Six months later, in June 2025, the University of Miami Health System uncovered a breach involving an employee accessing EHRs without a real business or clinical reason. The improper access occurred between September 2022 and May 2025. The health system fired the employee.
"Improperly authorized individuals may gain access to data that is not needed to perform their job function," said Phil Englert, vice president of medical device security at Health-ISAC, the Health Information Sharing and Analysis Center. "This may lead to leaks and breaches of personal information or even fraudulent activity related to medications or other prescribed therapies."
How to train staff to protect EHRs
To address insider threats, healthcare organizations should follow a strategy of "least privilege," in which they grant only the minimum access credentials required to perform specific tasks or functions.
Health IT leaders must highlight the importance of security training and educate employees on how to conform to HIPAA regulations to reduce threats. More than 81% of companies currently have or plan to implement an insider risk management program this year, compared with 77% in 2023, according to the Cost of Insider Risks Global Report 2025 by DTEX and the Ponemon Institute.
Cybersecurity companies like KnowBe4 offer tools to catch phishing attacks using a combination of human detection and AI analysis. KnowBe4 also offers simulated phishing training. In addition, role-based training in which employees learn what other team members do on a day-to-day basis would provide helpful insight to hospital cybersecurity leaders.
And just maintaining HIPAA compliance isn't enough, according to Ty Greenhalgh, HHS 405(d) ambassador and healthcare industry principal at Claroty, a company that offers cyber-physical systems protection.
"I think we need to move past just being compliant to actually creating things that have value," Greenhalgh said.
Greenhalgh recommends decommissioning old medical devices like infusion pumps, which insiders can use to log in to a health system's network. He notes that organizations often fail in risk analysis, which is a requirement of the HIPAA Security Rule.
"If the training would show everyone where they are deficient in meeting the standards particular to their role, then they might know what they need to fix," Greenhalgh said.
Health systems can try persona-based training, in which employees receive training on specific technology for multiple areas and workflows, such as the clinical workflows of NICU nurses compared with those of emergency room staff, Englert advised.
"To engage clinical staff as an early warning systems for cyber anomaly behaviors, the lessons must be readily related to specific clinical environments, and IT security staff must be well trained to respond," Englert said.
He suggests conducting 5-minute exercise briefs so staff receive security reminders more frequently, rather than only participating in training annually. Englert also advocates for departments to have "cyber champions," whom many healthcare organizations appoint to provide insight on the cyber risks to clinical impacts.
With the threats that health systems face from within their own workforce, taking these steps can protect organizations from insider security breaches and avoid disruptions to patient care.
Brian T. Horowitz started covering health IT news in 2010 and the tech beat overall in 1996.
Dig Deeper on Health data access & privacy
-
![]()
Top healthcare cybersecurity, privacy predictions for 2025
By: Jill McKeon
-
![]()
How HHS Cybersecurity Performance Goals Will Impact Healthcare
By: Jill McKeon
-
![]()
Thanksgiving Day Healthcare Cyberattack Impacts Hospitals Across Multiple States
By: Jill McKeon
-
![]()
Understanding Cloud-Based EHR Platforms and Their Benefits
By: Hannah Nelson
