Study finds many industry insiders would illegally sell personal health data

Even when tech professionals believe they are likely to be caught, many can still be tempted into violating health privacy laws if the payoff is high enough, according to new research from the School of Management.

Forthcoming in Engineering Management Review, the study examines how salary levels, perceived risk of getting caught and interest in hacking influence whether individuals would be willing to illegally share protected health information.

The research builds on a 2020 study that investigated the role that monetary incentives play in violating HIPAA (the Health Insurance Portability and Accountability Act of 1996). In this latest study, researchers focused on cybersecurity insiders and used the capabilities, motives and opportunities model, along with economic theory, to understand insider attacks and their connection to hacking behavior.

The current study also investigates how different income levels influence the amount of money required for an individual to violate HIPAA laws and found those who earned more money usually needed a much bigger reward to break health privacy rules. The results provide further evidence of the role of risk perceptions, rewards and potential gains when perpetrators decide to engage in illicit cyberactivity.

“Insider cybersecurity threats are driven as much by economic and behavioral factors as by technology,” says study co-author Lawrence Sanders, professor emeritus of management science and systems. “As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls.”

The researchers surveyed more than 500 undergraduate college students in technology-related programs who represent future IT workers. The students were asked to imagine working at a hospital earning between $30,000 and $100,000, experiencing financial stress and being offered money to leak information about a famous patient.

In total, 58% of participants said they would violate health privacy regulations in exchange for money, with amounts ranging from less than $10,000 to more than $10 million, depending on the perceived probability of getting caught and the salary level of the employee.

Interest in ethical hacking can also increase risk and was linked to lower monetary requirements to violate HIPAA, as well as in increased interested in unethical hacking when assured they would not be caught — supporting the ideal of “moral drift,” where ethical hackers may cross boundaries under the right conditions.

To prevent such breaches, researchers say organizations should work to understand the conditions under which professionals are tempted to act unethically and develop appropriate data security and staff management strategies to meet evolving threats.

“Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it,” says Sanders. “Initiatives that promote economic opportunity, social inclusion, cybersecurity literacy and a more secure digital environment are part of the solution.”

Sanders collaborated on the study with School of Management colleagues Laura Amo, associate professor of management science and systems; Joana Gaia, clinical assistant professor of management science and systems; David Murray, clinical professor of management science and systems; and Raghav Singh, a PhD in management candidate, along with Shambhu Upadhyaya, professor of computer science and engineering in the School of Engineering and Applied Sciences, and Sean Sanders, assistant professor of cybersecurity in the Illinois State University College of Applied Science and Technology.