The Breach That Took 10 YEARS to Detect And What It Means for You

Written By L Trotter II

You Might Be HIPAA Compliant. But Are You Secure?

At the University of Maryland Medical Center (UMMC), one employee allegedly spent a decade spying on coworkers using keylogging software quietly installed on over 400 devices.

What did he access?

Personal emails. Dating apps. Home surveillance feeds.

Even private footage of young mothers pumping breast milk in treatment rooms.

Now, UMMC is facing a class-action lawsuit, and the healthcare world is facing a brutal truth:

Insider Threats Are Now the #1 Cause of Healthcare Breaches

Ransomware grabs headlines.

But insiders, employees, contractors, and vendors cause more breaches than malware.

Why?

  • They already have access.

  • They blend in.

  • Lack of continuous monitoring tools.

  • Entities usually only pay attention to external threats and don't look inside.

The UMMC case isn’t about one rogue actor.

It’s about a failure of visibility, governance, and leadership.

No one noticed, for TEN years.

That’s not a tech problem.

That’s an executive problem.

Why This Should Make Every Digital Health Exec Cringe

If your security program is built around compliance checklists, policies, and once-a-year audits, you’re missing the point.

Because here’s the truth, this is a Startup mentality.

UMMC is a mature, established healthcare system. If it happened there, it can happen in your company too.

Let’s talk about how.

Where Most Health Tech Companies Are Exposed

Insider breaches don’t happen overnight.

They happen when cybersecurity leadership is missing.

Here’s what we see most often:

  • Devices and software isn't inventoried

  • Users have local admin access

  • Software restrictions are not in place

  • Development teams are busy and lack the security expertise

  • Security isn't implemented using a holistic approach

  • Sanctions are non-existent or aren't enforced

And in UMMC’s case?

The breach continued for 10 years, which tells us:

  • No security monitoring was in place

  • No regard for HIPAA and privacy was of concern

  • No one had the expertise of a CISO to operationalize security

That's not just a gap.

That’s a SYSTEMIC failure.

If you’re starting to wonder whether your current HIPAA program can keep up, I put together a short guide that digs into the advanced controls most digital health companies overlook.

It’s called the HIPAA Exposure Guide, and it’s designed for teams scaling quickly without a full-time security lead.

👉 Grab it here

5 Moves to Prevent the Next UMMC-Style Breach

If you’re digital health company scaling, here’s what needs to happen now.

1. Enforce Endpoint Security

Disable unapproved software installs.

Set alerts for install attempts to monitor behavior.

2. Audit Admin Access

Too many orgs assign broad access and never revoke it.

Limit what employees can access, and review it routinely (especially during org changes, DON'T end up like Oracle.)

3. Remove Local Admin Privileges

If your employees can install apps without approval, you’re exposed.

Lock it down.

4. Monitor Network Activity

SIEMs are good at looking at anomalies on the network and identifying threats in real time.

At your growth stage this is a must.

5. Appoint a CISO with Real Authority

HIPAA shouldn't be treated as a one and done annual check, it should improve and adapt with operations.

Someone on your team needs to own it, and have the power to enforce it.

Leverage a Fractional CISO.

You Don’t Just Lose Data, You Lose Trust

This fiasco was a violation of dignity and privacy.

For every patient, coworker, or family member affected, this becomes a matter of company values, not just regulatory exposure.

And that’s something no policy can thwart.

If You’ve Outgrown Your Security Capabilities, You’re Not Alone

Most digital health companies scale faster than their teams can keep up.

They overburden developers who don't have the expertise.

Or Tech execs don't have the time to give it the proper attention it needs.

If this sounds familiar, here’s your signal to move towards strategy.

As a Fractional CISO, I help digital health companies:

  • Manage HIPAA efforts and build resilience

  • Identify security gaps

  • Assist teams with baking security into operations

  • Stop insider threats before they happen

You don’t need more software.

You need leadership, visibility, and accountability.

👉 Book here

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com
Previous

Who’s Actually Responsible for HIPAA Security at Your Company?
Next

You’re "Compliant," But Are You Covered?