The Exposure Everyone Overlooks
Every behavioral health organization relies on its EHR. Most trust it completely. That trust has a blind spot.
The biggest EHR threats don’t announce themselves. They grow quietly inside your system: a user account copied from someone with broader access than needed, a former staffer whose credentials were never fully removed, audit logs collecting dust until there’s a breach and everyone scrambles.
These issues don’t raise alarms until they do. In behavioral health, where data is deeply personal and therapeutic relationships take months to build, even small missteps can trigger serious consequences for clients and the organization.
Most frontline staff can sense when something feels off. A coworker has more access than seems necessary. A login shows up in an odd place. But these signals rarely get flagged—not because people don’t care, but because no one’s sure where to take them.
That’s how exposure grows.
What the Data Shows
Insider Risk Dominates Healthcare Breaches
Research shows that over a ten-year period, unauthorized internal disclosures accounted for a substantial percentage of all breaches (Ali et al., 2022). Analysis of breach patterns consistently shows unauthorized access and disclosure as a leading cause of healthcare data exposure, second only to hacking incidents.
Studies consistently confirm that human factors, including carelessness and misuse of data, are significant contributors to healthcare data breaches (Hussain et al., 2022). Insider threats are particularly difficult to detect because the actors have legitimate access (Raji et al., 2022).
The Financial and Operational Cost
For the 14th consecutive year, healthcare data breaches remain the most expensive across all industries, averaging $7.42 million per incident, with U.S. healthcare costs reaching $10.22 million (IBM Security & Ponemon Institute, 2025). The research, conducted by Ponemon Institute on behalf of IBM Security, analyzed 600 organizations globally affected by data breaches between March 2024 and February 2025.
The financial impact extends beyond technical fixes. Cybersecurity incidents in healthcare disrupt care delivery, erode patient trust, and can lead to adverse patient safety outcomes (AAAS, 2025). The exposure of sensitive mental health information fundamentally undermines the confidentiality that forms the foundation of the provider-patient relationship.
Breaches Hide in Plain Sight
Breaches across the healthcare sector take the longest to identify and contain at 279 days—more than five weeks longer than the global average (IBM Security & Ponemon Institute, 2025). This extended dwell time indicates quiet, habitual issues go unnoticed for months while exposure compounds.
Breaches rarely begin with a dramatic breakdown. They start with quiet, habitual decisions no one flags as risky: staff share credentials to bypass login friction, removing all accountability; new hires inherit the permissions of whoever left last, regardless of need; audit logs exist, but no one reviews them unless an incident demands it.
Fear Prevents Early Detection
Research into incident reporting among healthcare professionals consistently identifies fear of negative consequences or fear of retribution as the most cited barriers to reporting (Al-Abri et al., 2021). Staff are often reluctant to raise concerns due to the risk of being blamed, labeled, or facing negative repercussions (Moore & McAuliffe, 2014).
A pervasive blame culture and lack of effective feedback from reported incidents contribute to underreporting of adverse events and near misses. This culture of silence prevents organizations from learning from small concerns and identifying system-level vulnerabilities before they lead to a major security event.
MFA Failures Enable Major Breaches
The absence of Multi-Factor Authentication (MFA) on remote access portals was the root cause of the most disruptive U.S. healthcare cyberattack to date. In Congressional testimony before the Senate Finance Committee and House Energy and Commerce Committee, UnitedHealth Group CEO Andrew Witty confirmed that the Change Healthcare ransomware attack occurred specifically because a remote access portal did not have MFA enabled, despite company policy requiring it (U.S. Senate Committee on Finance, 2024). The attack disrupted healthcare nationwide and potentially compromised data for a third of Americans.
Witty testified: “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. But for some reason, which we continue to investigate, this particular server did not have MFA on it” (House Committee on Energy and Commerce, 2024). Senator Ron Wyden characterized it as a failure of “cybersecurity 101.”
The Behavioral Health Difference
In substance use treatment settings, this risk takes on additional complexity. Records protected under 42 CFR Part 2 carry stricter confidentiality requirements than standard HIPAA protections. Even within your own organization, staff may not realize that accessing a patient’s substance use treatment record without explicit consent—even if they have technical access—can trigger federal violations. These aren’t just policy concerns. They’re legal exposures that can result in criminal penalties.
Healthcare workers sometimes access information out of curiosity, such as records about family or coworkers, that they have neither the need nor the right to know (National Academies, 2000). This insider abuse of access privileges represents a major category of internal threat in settings where therapeutic trust is paramount.
Five Questions Leadership Should Ask
If you’re in the C-suite or managing operational teams, here’s where to start:
1. Who owns the process of reviewing EHR access, and how frequently is it done?
If the answer is vague or involves multiple unclear handoffs, access drift is already happening. Someone needs to own this review cycle, and it needs to happen at regular intervals.
Benchmark: Access reviews should occur at minimum quarterly, with high-privilege accounts reviewed monthly. Each review should produce a documented sign-off confirming that current permissions align with current roles.
2. When was the last time audit logs were proactively reviewed, without being triggered by an incident?
The HIPAA Security Rule mandates the implementation of audit controls, which means recording and examining activity in information systems that contain or use electronic Protected Health Information (HHS). Effective audit trails provide visibility into every interaction, helping to detect unauthorized access, unusual activity, and potential tampering (HHS Technical Safeguards).
Yet EHR systems generate vast amounts of log data, and despite the critical importance of these logs for detecting inappropriate access, proactive review is frequently not undertaken unless an incident has already occurred.
Benchmark: Audit logs should be reviewed weekly for anomalies such as after-hours access, bulk record exports, or access to VIP/employee records. At minimum, a monthly comprehensive review should be documented and retained.
3. Are any systems still using shared credentials?
Shared logins eliminate accountability and make it impossible to trace who accessed what. The HIPAA Security Rule includes a required implementation specification for Unique User Identification, which mandates assigning a unique name or number for tracking user identity (HHS Technical Safeguards). This allows entities to hold users accountable for functions performed on systems containing ePHI.
Benchmark: Zero shared credentials should exist in any system containing PHI or ePHI. Every user should have a unique identifier that allows for complete activity tracing. If shared accounts exist for legitimate system functions, they should be exception-documented and tightly controlled.
4. Can we identify every high-access user and confirm that their access still aligns with their role?
Roles change. People leave. Permissions don’t update themselves. If you can’t quickly produce a list of high-privilege users and justify their access, you have exposure.
Research shows that implementing strict access controls based on the principle of least privilege is a critical strategy for mitigating insider data breaches in healthcare (HHS Security Rule). When organizations fail to follow this principle by over-provisioning access or not removing it when roles change, they directly expose patient data.
Benchmark: Your organization should be able to produce a complete list of users with administrative access or access to more than 100 patient records per month within 24 hours. Each should have documented business justification reviewed within the past 90 days.
5. Is multi-factor authentication fully deployed for all EHR access points?
Single-factor authentication is no longer defensible. While MFA is technically listed as an “addressable” specification under the HIPAA Security Rule’s Technical Safeguards, this does not make it optional. The regulation requires organizations to implement MFA unless they can document why it is not reasonable and appropriate—and recent breach investigations make that documentation nearly impossible to justify.
The evidence is unambiguous: In Congressional testimony, UnitedHealth Group CEO confirmed the Change Healthcare breach affecting millions occurred specifically because MFA was not enabled on remote access. Regulators and investigators identified the absence of MFA as the preventable root cause. Any organization claiming MFA is not “reasonable and appropriate” will face an uphill battle explaining how their risk environment differs from this catastrophic failure.
Benchmark: 100% MFA coverage for all remote access and all administrative accounts. At minimum 95% coverage for standard user accounts, with documented exceptions only for technical limitations, not user convenience.
What You Can Do This Week
You don’t need to overhaul your EHR overnight. But you can take small, specific steps that reduce risk right now:
Review access roles for a few key users. Are their permissions still aligned with their current responsibilities? Start with just three to five accounts. Document what you find.
Check MFA settings. Is multi-factor authentication turned on everywhere it should be? If not, prioritize remote access and administrative accounts first.
Start a light-touch audit. Choose one week of audit logs and skim for anything unusual. Look for after-hours access, bulk record views, or access to records of employees or high-profile clients. If your organization uses a compliance platform, check whether it can help automate some of this monitoring.
Create a culture of reporting. Let your team know it’s okay to flag oddities, even if they turn out to be nothing. Making it safe to speak up is the single most effective control you can implement.
None of this requires a massive project. It just requires attention and a little permission to speak up.
The Path Forward
Most breaches aren’t caused by clever hackers. They’re caused by things someone noticed but didn’t say out loud.
When you see something that doesn’t look right, say something. Your organization’s security depends on it, and so does the trust your clients place in you.
Leadership risk doesn’t come from what’s unknown. It comes from what goes unverified. EHR oversight deserves more than a line item on a compliance checklist. It calls for sustained executive attention and organizational ownership. The reputational stakes are simply too high to leave it to chance.
Security in behavioral health isn’t about fear. It’s about trust, and trust depends on the discipline of verification.
Sometimes an outside voice can help your organization hear what you’ve been trying to say. We understand the operational realities of behavioral health and the gap between noticing problems and getting them addressed. Schedule a conversation with Xpio Health.
References
- Ali, M., et al. Analyzing the Implications of Healthcare Data Breaches through Computational Technique. ResearchGate. 2022.
- Hussain, M., G. B. Gillani, & S. Hussain. Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis. U.S. National Institutes of Health (NIH) / National Library of Medicine (PMC). 2022.
- Raji, A., P. N. A. Oteniya, & D. C. F. F. Nweke. Securing electronic health records against insider-threats: A supervised machine learning approach. LJMU Research Online (Liverpool John Moores University). 2022.
- IBM Security & Ponemon Institute. Cost of a Data Breach Report 2025. IBM. 2025.
- Jiang, J., et al. MSU study: Ransomware drives US health data breaches. EurekAlert! (AAAS). 2025.
- Al-Abri, M., R. N. P. A. N. A. N. Barriers to Incident Reporting among Nurses: A Qualitative Systematic Review. PubMed. 2021.
- Moore, S., & E. McAuliffe. To report or not to report? Why some nurses are reluctant to whistleblow. ResearchGate. 2014.
- U.S. Senate Committee on Finance. Hearing: Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next. U.S. Senate. 2024.
- House Committee on Energy and Commerce. What We Learned: Change Healthcare Cyber Attack. U.S. House of Representatives. 2024.
- U.S. National Academies of Sciences, Engineering, and Medicine. Privacy and Security Concerns Regarding Electronic Health Information. National Center for Biotechnology Information (NCBI). 2000.
- U.S. Department of Health & Human Services (HHS). Summary of the HIPAA Security Rule. HHS.gov.
- U.S. Department of Health & Human Services (HHS) Office for Civil Rights. Technical Safeguards – HIPAA Security Series #4. HHS.gov. 2003.
