Critical infrastructure is a high value target in the real world and cyberspace. A failure to protect the critical infrastructure in the cyberspace could lead to serious financial and material losses and violate the effective functioning of a country. In this paper, we will focus on healthcare as an important part of the critical infrastructure. An important part of the healthcare infrastructure are hospitals. Hospital personnel is increasingly using mobile devices in their everyday work to improve patient care. Hospitals may however fail to adequately address the use of mobile devices and adapt their information security policies in time. Hospital personnel may use both their personal and work mobile devices for everyday work. Sometimes they do it without adhering to an adequate hospital information security policy. The objective of this paper is to study the relation between the use of mobile devices, adhering to hospital information security policy and perceived consequences of data breaches. An exploratory survey (N = 95) has been conducted in a Slovenian hospital. Respondents were asked about the use of their personal and work mobile devices for accessing medical data, adhering to the hospital information security policy, and the perceived consequences of data breaches for themselves, the hospital and the patients. The results show that perceived personal consequences are negatively correlated with personal and work mobile device use for work. Also, adhering to information security policy is positively correlated with perceived data breach consequences for both the patients and the hospital.