Many health data breaches aren’t just caused by hackers. Inadequate processes and irresponsible use of health data often create opportunities for serious cybersecurity incidents. In our study, experts recounted staff admitting, “I didn’t know, nobody told me,” or using personal Gmail for sensitive communications. One cybersecurity expert observed, “[Healthcare ecosystems] are not good at these things [data protection by design]. We say that they don’t bake in security; they just bake the cake and spray on some [cyber]security.”

Our mixed-methods study, published in Behaviour & Information Technology (open access explored these critical vulnerabilities in health data protection. We gathered insights from cybersecurity and privacy experts across 14 countries, including CISOs, IT security officers, researchers, privacy managers, and Data Protection Officers.

We identified 30 failure factors and, using the People-Process-Technology framework, unpacked the top seven:

• People: non-compliant behaviour, and lack of cybersecurity awareness
• Process: inadequate risk management, weak data integrity monitoring, and a lack of breach response and recovery plans
• Technology: unsecure third-party applications, and a lack of data protection by design

These factors often interlink, creating complex vulnerabilities. With the growing adoption of big data analytics and AI in healthcare, understanding these failure points is crucial. Our model offers actionable insights for healthcare organisations to strengthen data protection, develop mitigation policies, and reduce the risk of breaches, ensuring safer care and maintaining trust.

Towards a model for understanding failures in health data protection: a mixed-methods study, Javad Pool, Saeed Akhlaghpour, Farkhondeh Hassandoust, Farhad Fatehi & Andrew Burton-Jones