New Study Reveals 58% of Future Healthcare Workers Would Sell Patient Data: Why Insider Risk Is Now Your Greatest Threat

If you operate a medical practice or medical spa, here's a number that should keep you up at night: More than half of the people entering your workforce would sell your patients' most sensitive information for the right price. Not in some hypothetical future. Not in some dystopian scenario. Right now.

A new study from the University of Buffalo, published in January 2026, surveyed 500 undergraduate students in technology-related programs—the same people who will soon be managing your electronic health records, configuring your network security, and handling your patient data. When asked if they would illegally obtain and disclose protected health information for payment, the majority said yes.

The price? For some, less than $10,000.

The Uncomfortable Truth About Insider Threats

We spend enormous energy worrying about hackers in foreign countries, sophisticated ransomware gangs, and zero-day exploits. These threats are real. But this study confirms what those of us in security have known for years: your greatest vulnerability walks through your front door every morning.

The research found that willingness to violate HIPAA varied by salary level and perceived probability of being caught. Higher-paid employees required more money to be tempted. Those who believed they could avoid detection needed less. Perhaps most troubling: individuals with an interest in "ethical hacking" were actually more susceptible to accepting payment for illegal data access.

Why Medical Practices and Med Spas Are Uniquely Vulnerable

Large hospital systems have compliance departments, dedicated security teams, and established insider risk programs. They're still vulnerable, but they have resources. Medical practices and med spas? Most have none of these protections.

Consider what makes your environment particularly attractive to bad actors:

• High-value data: Patient health records, before/after photos, payment information, and contact details—all in one place
• Limited oversight: Small teams mean less segregation of duties and fewer checks on access
• Trust-based culture: Staff often have broad access because "they need it to do their job"
• Minimal monitoring: No one is watching who accesses what records, or when, or why
• Weak consequences: Without documented policies and enforcement, violations go unnoticed and unpunished

A front desk employee with financial stress. An IT contractor with database access. A billing specialist who knows exactly which patients would pay to keep their procedures private. These aren't hypothetical scenarios. They're the exact conditions this study measured.

The Regulatory Reality

When an insider breach occurs, HIPAA doesn't care that you're a small practice. The penalties are the same:

• $50,000 to $1.5 million per violation category per year
• Mandatory notification to affected patients within 60 days
• Notification to HHS (and media, for breaches over 500 individuals)
• Potential criminal prosecution for willful violations
• Civil lawsuits from affected patients
• Destruction of patient trust and practice reputation

And here's what most practice owners don't realize: you can be held liable for insider violations even if you didn't know they were happening. HIPAA requires you to have reasonable safeguards in place. "We trusted our staff" is not a defense.

What an Effective Insider Risk Program Looks Like

Building a program that actually protects your practice requires more than an annual training video and a policy document no one reads. It requires understanding human behavior, implementing appropriate controls, and creating accountability without destroying the collaborative culture that makes healthcare work.

Why We Built Our Practice Around This Problem

At SPM Advisors, insider risk isn't a service we added to a menu. It's the foundation of how we think about security.

Our team has spent years building and leading insider risk programs for organizations across multiple industries and continents. We've worked in environments where the consequences of insider compromise weren't just regulatory penalties—they were matters of national security, operational continuity, and human safety.

That experience shapes how we approach every medical practice and med spa engagement:

• We don't just install software. We design programs that account for human behavior, organizational culture, and operational reality.
• We don't just write policies. We create accountability structures that actually get followed.
• We don't just train staff. We build awareness that changes behavior when no one is watching.
• We don't just check boxes. We implement controls that would withstand OCR scrutiny and stand up in court.

The regulatory landscape is getting stricter. The threat actors are getting bolder. And now, we have research confirming that more than half of the workforce entering healthcare would compromise your patients for money.

The Question You Need to Ask

Look around your practice. Think about everyone who has access to patient records, payment information, and sensitive communications. Now ask yourself:

Would you bet your practice, your reputation, and your patients' trust that every one of them would say no to $10,000?

If you hesitated, even for a moment, you already know what you need to do.