Bribery, intimidation, insiders preferring convenience, and carelessness . . . are the usual suspects.
Caring less: Insiders give up enough clues, to what their password might be; or insiders outright give away their password.
That is one of the reasons that nobody should expose their lives to online forums. Because the bad actors collect information and assess The Top Ten most vulnerable insiders, every day. And the bad actors just wait for opportune moments.
*That* is the leading pry-bar that gets hackers into health care systems.
Every day, bad actors wait for network users to do something that leaves a door open.