The Community Trust Crisis: When Data Breaches Hit Home

Imagine that you’re a public health provider who has spent three years building trust with a hard-to-reach community for participatory research initiatives on diabetes management. Community members have shared their most intimate health struggles, opened their homes for interviews, and become co-investigators in designing interventions. Then, one morning, you wake up to find that a “secure” cloud platform you used to store de-identified survey data has been breached, exposing not just participant information, but also compromising the very foundation of community trust you’ve worked so hard to build.

Sounds like a nightmare? Welcome to 2025, where the intersection of artificial intelligence, participatory research, and privacy protection creates a dangerous combination that would make even the most seasoned IRB member reach for their emergency coffee stash.

Digital transformation in healthcare promises unprecedented opportunities, but also exposes critical blind spots in privacy, equity, and governance. On July 25, 2025, the high-profile data breach of the Tea app, which exposed tens of thousands of users’ driver’s license information, full names, and addresses, serves as a stark reminder that our digital infrastructure is only as strong as its weakest link.

While Tea may not be a healthcare platform, Tea’s data leak mirrors similar vulnerabilities in public health sector: the widespread adoption of generative AI tools and cloud-based platforms across digital platforms without sufficient attention to data stewardship, informed consent, or community trust.

The implications of such data breaches extend far beyond social media. In May 2024, Kaiser Permanente notified its members about a data breach impacting 13.4 million individuals, stemming from third-party tracking technologies embedded in its website and mobile platforms. This incident exemplifies a troubling trend in healthcare: the unchecked adoption of generative AI tools and cloud-based storage practices by healthcare workers is exposing electronic protected health information (ePHI) in ways that communities are often unequipped to handle.

These data breaches do not simply impact the design of technical infrastructure, but also have severe implications on community trust. Public health researchers and institutions rely on trust-based relationships with communities, especially when collecting and managing sensitive patient data. HIPAA, while often viewed as a compliance burden, crucial for protecting the relationships between healthcare provider and patient. Recent federal enforcement actions, such as the July 2025 $250,000 HIPAA settlement with a New York surgery center, underscore the need for healthcare entities and research teams alike to integrate robust risk analysis, transparent communication, and ethical data practices into their AI and cloud strategies.

Malpractice in data stewardship increasingly exposes electronic protected health information (ePHI) and personally identifiable information (PII) in ways that disproportionately affect marginalized communities. Additionally, data breaches impact the core of what makes participatory research possible: mutual trust, reciprocity, and community ownership of the research process.

If participatory research is to thrive in the AI era, HIPAA must be seen not just mere regulation, but as a framework for patient privacy, equity, and mutual respect. Safeguarding ePHI is not a mere legal obligation, but a prerequisite for inclusive innovation, ethical scholarship, and community-centered public health advancement.

Data Breaches in Healthcare: Implications for Public Health

The healthcare industry has rapidly embraced artificial intelligence, with nearly all organizations now leveraging AI tools to enhance efficiency and patient care. According to Netskope Threat Labs Report: Healthcare 2025, 88% of healthcare organizations have adopted cloud-based generative AI technologies, 98% use applications that incorporate generative AI features, 96% employ tools that leverage user data for training, and 43% are experimenting with deploying generative AI infrastructure on-site.

However, this rapid integration of generative AI tools along with vibe-coded applications in clinical workflows has introduced new, frequently overlooked vectors for data leakage in the patient care environment. Additionally, healthcare workers have been found uploading ePHI to unvetted AI chatbots or cloud storage platforms without explicit consent or proper risk assessment.

According to the HIPAA Journal, healthcare data breaches are rising at an alarming rate. Since July 2024, there has been a 16.67% month-over-month increase in reported breaches. Furthermore, between May and June 2025, there was a 302.71% surge in the number of individuals whose protected health information (PHI) was exposed or impermissibly disclosed.

In June 2025 alone, HIPAA-regulated organizations reported 70 data breaches involving 500 or more individuals, well above the 12-month average of 59. This trend underscores systemic gaps in data security, governance, and accountability.

This concerning trend of breached patient data is not simply a case study for security analysts but also raises concerns around the future of community health infrastructure. The ripple effects of lost patient trust, data-driven stigma, and compromised continuity of care are profound, especially for medically underserved and digitally marginalized populations.

Data Loss Protection for Healthcare Data

The deployment of generative AI in healthcare settings raises urgent ethical questions. Where does consent begin and end when clinicians unknowingly share PHI with third-party systems? How can we ensure that automation doesn’t displace cultural competence, informed communication, and care continuity?

As more clinical and operational tasks are offloaded to intelligent systems, healthcare organizations must critically evaluate the opacity, bias, and privacy vulnerabilities embedded in these tools. Failing to do so risks normalizing noncompliance as an unintended consequence of innovation.

In response, many organizations are turning to Data Loss Prevention (DLP) strategies to mitigate these emerging risks. As reported in Netskope’s 2025 Healthcare Threat Labs Report, over the past year, the adoption of DLP controls to monitor and regulate access to generative AI applications has increased significantly—from 31% to 54% of healthcare organizations. This shift signals a growing recognition of the risks associated with unmonitored AI usage and a stronger commitment to safeguarding sensitive patient data.

By implementing DLP strategies, healthcare providers are taking a proactive step toward responsible AI integration, reinforcing operational security while still advancing innovation. This transition reflects a broader movement toward embedding privacy and compliance into the AI development lifecycle, ensuring that technology serves both institutional goals and community trust.

The Business Associate Blind Spot in Community Research

Here’s where things get interesting for participatory researchers: many of the platforms and tools commonly used in community-based research may qualify as Business Associates under HIPAA, even if researchers don’t initially realize it.

That survey platform you’re using to collect health behavior data? Potentially a Business Associate. The transcription service for your focus groups about maternal health experiences? Definitely a Business Associate if they’re handling PHI. The community organization partner who helps with data collection? Might be a Business Associate depending on their role.

A critical blind spot in HIPAA compliance is the oversight of Business Associates (BAs). BAs are third parties contracted to perform services involving PHI on behalf of covered entities. While BAs are legally bound by HIPAA, many organizations fail to audit their Business Associate Agreements (BAAs) adequately.

A notable example: In July 2025, Episource, LLC, a business associate in California, suffered a hacking incident that led to the confirmed data theft of over 5.4 million health records. This incident stands as one of the largest breaches involving a BA to date and highlights systemic BA-related vulnerabilities.

Many research teams treat BAAs as mere formalities, but this approach creates significant risks for community partners. When a community organization signs a BAA to help with data collection, they’re taking on legal liability for data protection—often without adequate resources or training to meet these obligations. HIPAA Journal has summed it up concisely: “If you’re not auditing your BAAs, you’re not protecting your data.”

Recent updates to HIPAA Security Rule proposed by HHS aim to close these gaps with stronger expectations for all BAs, including:

• Rigorous vendor oversight, requiring BAs and their subcontractors to notify covered entities within 24 hours of activating contingency plans

• Annual technical inventories and data flow mapping to improve visibility into how electronic protected health information (ePHI) is stored, accessed, and transmitted

• Mandatory annual security audits for both covered entities and their business associates

• Enforcement of multi-factor authentication (MFA), data encryption, and routine penetration testing and vulnerability scanning to ensure systems remain resilient against evolving cyber threats

For community-based research to remain ethical and secure, BAA oversight must be proactive, not performative, and community partners need support, not just signatures.

The Regulatory Maze: Navigating HIPAA’s New Frontier

The January 2025 HHS proposed revisions to the HIPAA Security Rule mark the first significant update since 2013, a lifetime ago in internet years.

The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has updated guidelines that HIPAA-covered health care providers, health plans, clearinghouses, and business associates implement the following steps to prevent or mitigate cyber threats:

• Know Your Data Flows: Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems. For community research, this means mapping not just digital systems, but also understanding how community partners handle and share information.

• Community-Centered Risk Assessment: Traditional risk assessments focus on organizational impacts, but participatory researchers must also consider community-level risks. What would happen to your community partners if their association with your research became public due to a data breach?

• Culturally Relevant Training: Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties. For community research, this means training that acknowledges different cultural understandings of privacy and data sharing.

Operational resilience begins with proactive design and continuous validation of data protections. HIPAA safeguards should not simply be treated as check-boxing performances or only applied when convenient. Instead, HIPAA compliance represents the minimum viable standard for securing patient data in an increasingly hostile threat environment.

Security teams and community health researchers are advised to follow OCR’s recommendations as a foundational benchmark: a baseline for evaluating controls, drafting cyber playbooks, and pressure-testing incident response, and enhanced according to the use case of the organization. The objective is not just regulatory compliance, but sustained readiness and trust.

Conclusion: HIPAA as a Foundation, Community Trust as the True North

The integration of AI into participatory health research presents both extraordinary opportunities and significant risks. In an era of agentic AI and vibe-coded medical interfaces, we need systems, people, and policies capable enough to protect our patient communities, especially when the technologies they rely on cannot yet understand or uphold the values of privacy, consent, and equity.

Building trust in digital health is more than avoiding fines or patching systems after a breach. It’s about embedding resilience at every level: from governance and vendor accountability to frontline clinical decision-making. Academic institutions, health systems, and research institutes have a shared responsibility to model this resilience by aligning technological innovation with ethical care.

The stakes couldn’t be higher. Safeguarding ePHI is not simply a legal obligation, but a prerequisite for inclusive innovation, ethical scholarship, and community-centered public health advancement. In an era where technology moves faster than trust can be rebuilt, our research practices must prioritize community relationships over convenience, justice over efficiency, and collective benefit over individual advancement.

Ultimately, HIPAA compliance is not the end goal. It is the floor, not the ceiling: a baseline from which we must build a more secure, transparent, and equitable future for the health of our communities.

This article was brought to you by Inland Cyber Defense Clinic and additional contributors from Community Translational Research Institute. Sincere thanks to MaryAnn Ngozi Obidike, Lily Elikplim Dzidula, Sonia Baron, Tracy Gaolese, Britney Lu, Brandon Yeung, and Professor Andy Johnson for your insightful conversations!

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation.