Most healthcare data breaches don’t start with a sophisticated hacker in a dark room. They start with an unlocked workstation, a shared password, or an email sent from the wrong account. The uncomfortable truth is that the majority of HIPAA violations in small practices are caused by entirely preventable IT mistakes — and many providers don’t discover them until after the damage is done.
Here are five of the most common IT mistakes we see at Atlantic Computer Systems, along with exactly what they put at risk and how to fix them.
133M
healthcare records exposed in 2023
$10.9M
average cost of a healthcare data breach — the highest of any industry
74%
of breaches involve a human element — mistakes, not hackers
1
Using Personal or Consumer Email for Patient Communication
Gmail, Yahoo, and standard Outlook accounts are not HIPAA compliant by default. They lack the required encryption, audit logging, and Business Associate Agreement (BAA) from the provider. Sending even a single appointment reminder from a personal email account is a potential HIPAA violation.
What’s at risk
Fines from $100 to $50,000 per violation. Patient trust. Potential breach notification requirements affecting hundreds of patients.
The fix: Migrate to a HIPAA-compliant email platform (Microsoft 365 Business with a signed BAA, or a healthcare-specific alternative). ACS can set this up and manage it for you.
2
Relying on a Single Local Backup (or No Backup at All)
An external hard drive in the office is not a backup strategy. Ransomware encrypts everything on the network — including attached drives. A fire or flood takes out everything in the room. HIPAA requires that patient data be recoverable. Practices that cannot restore after an incident face fines and downtime that can stretch to weeks.
What’s at risk
Permanent loss of patient records. Inability to operate. Average ransomware recovery cost for healthcare: $1.85 million.
The fix: Implement a 3-2-1 backup strategy: three copies of data, on two different media types, with one stored offsite in the cloud. ACS manages automated, encrypted, offsite backups as part of our managed IT plans.
3
Delaying Software Updates and Security Patches
Every unpatched vulnerability is a documented, public attack vector. The WannaCry ransomware attack that crippled the UK NHS in 2017 exploited a Windows vulnerability that had a patch available for two months prior. Practices that run outdated operating systems, EHRs, or third-party software are leaving known doors unlocked.
What’s at risk
60% of breaches involve vulnerabilities where a patch was already available. Running Windows 10 after its October 2025 end-of-life is an automatic HIPAA risk factor.
The fix: Automated patch management applied on a defined schedule, without disrupting your clinical workflow. This is a standard component of ACS managed IT.
4
Sharing Login Credentials Between Staff Members
It is common in busy practices: everyone knows the office password. It feels efficient, but HIPAA audit control requirements mean you must be able to show exactly who accessed which patient records and when. Shared credentials make that impossible. Worse, when an employee leaves, their access does not leave with them — because their credentials are everyone’s credentials.
What’s at risk
HIPAA audit failures. No way to investigate a breach. Former employees retaining full system access long after their last day.
The fix: Individual named accounts for every user. Role-based access controls so staff only see what they need. Offboarding checklists that disable access on the employee’s last day.
5
Having No Written Incident Response Plan
When a breach happens, the first 24 hours are critical. HIPAA requires breaches affecting 500 or more individuals to be reported to HHS within 60 days — and all breaches must be logged, with smaller ones reported annually. Practices with no documented plan scramble, make costly mistakes, and often miss notification deadlines. OCR audits routinely cite the absence of a written incident response plan as a separate, standalone violation.
What’s at risk
Compounded fines from both the breach and the missing response plan. No clear ownership of who does what when an alert fires at 2am.
The fix: A documented, tested incident response plan specific to your practice. ACS helps practices build and maintain these as part of our HIPAA compliance package.
Quick Self-Audit: How Many Apply to Your Practice?
We use Gmail, Yahoo, or another personal email for patient communication
Our only backup is a local external drive or a single copy on the network
We update software when we get around to it — not on a defined schedule
Multiple staff members share a single login or password
We do not have a written plan for what to do if we are hit with ransomware or a data breach
If you checked even one box, it is worth getting a professional eye on your setup before a regulator does.
Atlantic Computer Systems
Find out which of these apply to your practice — for free.
Our free 30-minute IT & HIPAA Security Assessment covers all five of these areas and more. No obligation, no jargon — just a clear picture of where you stand and what to fix first.
Book Your Free Assessment →