How Nurses in Long-Term Care Can Prevent Data Breaches

February 20, 2026 | Varsha Chaugai

When healthcare organizations think about data breaches, they often picture sophisticated hackers and ransomware attacks. The reality is more straightforward and more preventable.

Research consistently points to human behavior as the primary driver. According to Mimecast, an estimated 95% of data breaches are attributable to human error. Verizon's 2025 Data Breach Investigations report found that 60% of breaches involve a human element, whether that is a malicious insider or an employee falling for a phishing scheme. Separate analysis found that 68% of data breaches globally in 2024 resulted from non-malicious human failure, meaning staff who made a mistake, not staff who intended harm.

In healthcare specifically, 43% of data breaches are attributed to human error, including lost or stolen devices, insider threats, and unintentional disclosures, according to data compiled from HHS Office for Civil Rights (OCR) reports.

For nurses, social workers, and care staff working in long-term care (LTC) or skilled nursing facilities, this is both a sobering and empowering statistic. Most breaches are preventable, but only if frontline staff understand what to watch for.

Long-term care environments pose unique data risk conditions. Staff turnover is high. Multiple team members access the same resident records. Communication with families occurs across a patchwork of tools, including phone calls, personal emails, messaging apps, and printed forms, many of which were never designed for protected health information (PHI).

Residents in LTC settings often have complex health and financial profiles. Their records contain diagnoses, medication lists, financial information, family contact details, and legal documents such as powers of attorney and consent forms. A single improperly shared email or an unlocked shared workstation can expose a significant amount of that information.

The scale of the problem across healthcare is significant. Between 2009 and 2024, over 6,700 healthcare data breaches of 500 or more records were reported to the HHS OCR, affecting more than 846 million individuals. In 2024 alone, the protected health information of over 276 million people was exposed or stolen, the worst year on record for breached healthcare records.The average cost of a single healthcare data breach rose to $4.88 million (USD) in 2024, a 10% increase year over year.

LTC homes are not exempt from these trends. And unlike large hospital systems with dedicated IT departments, most LTC facilities operate with limited technical infrastructure and security staff.

Understanding how breaches happen is the first step toward preventing them. The most common employee-driven causes in healthcare include:

• Phishing attacks. Employees receive a convincing email that appears to come from a legitimate source, a vendor, a health authority, or even a colleague, and click a malicious link or download an infected file. The 2024 ransomware attack on Ascension Health, which compromised the data of nearly 5.6 million patients, was initiated by an employee who inadvertently downloaded a malicious file.
• Unauthorized or accidental disclosure. Sending a resident's information to the wrong family member, copying the wrong email address, or discussing a resident's condition in a shared space where others can overhear, these are all disclosure violations under HIPAA and PIPEDA.
• Using personal devices or unapproved apps. When nurses or social workers use personal email, WhatsApp, or text messages to share updates with families because it is faster or more convenient, they create a pathway for data to exist outside of secure, auditable systems.
• Leaving systems unattended. An unlocked workstation or shared tablet with an active session is an open door. A former Nuance employee accessed the records of over 1.27 million patients at Geisinger after their login credentials were not revoked upon termination, a reminder that access management matters at every stage of employment.
• Improper disposal. Printed records, consent forms, or notes that are left on desks, recycled in general bins, or thrown away without shredding can expose PHI.
• Oversharing with family members. A resident may have multiple family members, but only certain individuals hold legal authority to receive health information. Sharing updates with the wrong contact, even with the best intentions, is a breach.

Your legal obligations

In the United States, HIPAA governs the use and disclosure of protected health information. In Ontario, Canada, the Personal Health Information Protection Act (PHIPA) sets out equivalent obligations. Both frameworks require that health information only be shared with authorized individuals, through secure means, for legitimate care purposes.

The 21st Century Cures Act adds another layer for US-based providers, prohibiting information blocking and requiring that patients (and by extension, residents and their authorized representatives) have timely access to their health information.

Violations can result in significant fines and, in some cases, personal liability for the staff member involved, not just the organization.

Using technology responsibly

Many LTC homes are modernizing their communication tools. Platforms like Engage⁺ (connected to the PointClickCare EHR) are designed to give nurses a secure, auditable way to share updates with authorized family members, send invoices, manage consent forms, and document communication, all without relying on personal devices or informal channels.

When staff use approved, integrated technology, they reduce the risk of accidental disclosure and create a clear record of who received what information and when. This matters for compliance audits and for defending against claims of inadequate communication.

The operational impact is real. Facilities using Engage⁺ have reported reductions in staff workload related to family communication of over 50% and improved staff confidence that they are sharing information through the right channels.

Before sending, saying, or handing over resident information, staff should pause and consider the following:

• Am I authorized to share this? Do I know who is legally designated to receive health or financial information about this resident? Have I verified their identity?
• Is this the right channel? Am I using a system-approved system? Does this channel encrypt information in transit and at rest?
• Is this the minimum necessary information? Am I sharing only what is needed for the purpose at hand, or am I including more detail than necessary?
• Have I verified the recipient? If I am sending digitally, have I double-checked the email address, phone number, or recipient in the system? One wrong character can send a resident's record to a stranger.
• Would I be comfortable if this communication were to appear in an audit? If the answer is no, it is worth pausing to find a more appropriate method.
• Is this device or screen visible to others? Am I in a common area where someone else could read what is on my screen or overhear a conversation?
• Does this family member have current, signed consent on file? Authorization should be documented and up-to-date. If there is any doubt, verify before sharing.

• Use only approved platforms for family communication. If your facility has a secure family portal, use it. If staff are relying on personal email or consumer messaging apps because nothing better is available, that is a conversation to bring to leadership.
• Lock your workstation every time you step away. This takes two seconds and prevents a significant class of unauthorized access.
• Do not share your login credentials. Even with a trusted colleague. Even in a staffing emergency. Every access event should be tied to an individual user for accountability.
• Report suspicious emails before clicking. A vendor email asking you to verify credentials or to reset a password should be verified through a known, official contact, not by clicking the link in the email.
• Know the escalation path. If you discover or suspect a breach, know who to notify immediately. Early reporting reduces regulatory exposure and limits harm to residents.
• Ask for training. If your facility has not provided cybersecurity and data privacy training recently, ask. Regular, role-specific training is one of the most effective tools available for reducing human-error breaches.

There is a persistent misconception that using more technology creates more risk. In many LTC settings, the opposite is true. Informal, fragmented communication practices that rely on phone calls, sticky notes, personal emails, and paper forms create unauditable, uncontrolled pathways for PHI to move outside secure systems.

Integrated platforms built for LTC environments reduce that risk by centralizing communication, automating documentation, and limiting access to authorized users. They also reduce the cognitive load on nursing staff already managing significant workloads, thereby reducing the likelihood of errors under pressure.

When staff are equipped with tools that make the right behavior the easy behavior, compliance improves. So does resident and family trust.

Data breaches in long-term care are rarely the result of malicious intent by frontline staff. They are overwhelmingly the result of gaps in training, inadequate tools, and workflows that make it difficult to do the right thing quickly.

Nurses and social workers are not the problem. But they are positioned to be a significant part of the solution, and the decisions made in the course of daily work, about what to share, with whom, through which channel, and on which device, collectively determine whether a facility's resident data remains protected.

That responsibility is significant. So is the opportunity to get it right.