Email Remains a Leading Security Risk in Healthcare

While email remains the main communication tool in healthcare, it still poses as the weakest form of security, with 180 healthcare organizations falling victim to email-related breaches in 2024, according to Paubox’s 2025 “Healthcare Email Security Report.”

Paubox, a provider of HIPAA-compliant email encryption, compiled the report using data from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Breach Portal, often referred to as the “Wall of Shame,” the report claims.

Breaches reported from January 1, 2024, to January 31, 2025, focusing on failures in email security, were examined.

It was found that Microsoft 365 was the most frequently compromised platform, responsible for 43.3% of breaches.

Email security warning notification from phone and laptop.

Other affected platforms included Proofpoint (12.8%), Barracuda Networks (7.2%), Mimecast (6.7%) and Google Workspace (3.3%).

Although Microsoft 365 has built-in security features, weak enforcement has left many organizations vulnerable for cybercriminals to attack, the report says. Without proper security measures, healthcare organizations using these platforms remain at risk.

Cybercriminals prey on weaknesses in email security through a variety of attack methods that include:

• Phishing, where deceptive emails impersonate trusted sources to trick employees into revealing credentials or downloading malware, remains the most common attack. Paubox found that only 5% of phishing attacks are reported to security teams, allowing threats to go undetected.
• Spoofing and impersonation attacks, occur when attackers forge email headers to make messages appear legitimate.
• Credential theft takes place when hackers exploit weak or reused passwords to gain access to email systems.
• Malware and ransomware, which are distributed through infected email attachments or links.
• Insider fraud is also a persistent threat. Employees with access to patient data pose a security risk, whether through negligence or malicious intent.

The financial consequences of email breaches are also serious.

According to a previous Paubox survey, it was found that nearly 70% of IT healthcare leaders estimate the cost of a HIPAA violation to exceed $250,000.

However, IBM has reported that the average cost of a healthcare data breach is $9.8 million.

Despite a 70% increase in healthcare cybersecurity spending over the past four years, email remains a critical weak point.

According to the report, 31.1% of breached organizations were classified as high risk, meaning they had multiple security gaps exposing them to major cybersecurity threats.

In addition, 67.8% were classified as medium risk and only 1.1% met the criteria for low risk.

It was also revealed that only 27% of IT leaders are confident in their ability to prevent breaches in 2025.

Many breaches within Microsoft 365, stemmed from flawed security settings. The report found that 37.2% of organizations using Microsoft 365 had settings that left them vulnerable to phishing attacks.

Basic security adds to the risks.

For example, 12.2% of organizations lacked sender policy framework records, while 40% had weak “soft SPF” frameworks, making it easier for attackers to spoof emails.

Additionally, 30.6% lacked domain-based message authentication, reporting and conformance records (DMARC), and 34.4% had DMARC set to “monitor-only,” which allows unauthorized email activity to go undetected.

Looking ahead, authors of the report expect attackers to target cloud-based email systems with AI-driven phishing techniques that can bypass traditional security measures.

Regulatory requirements may also become more strict, with new standards for email security, such as mandatory enforcement of DMARC and SPF authentication protocols.

OCR Director Melanie Fontes Rainer stressed the importance of risk analysis.

“An accurate and thorough risk analysis is foundational to both HIPAA Security Rule compliance and protecting health information from cyberattacks,” she said. “Failure to conduct a risk analysis leaves healthcare entities exposed to future hacking and ransomware attacks.”

To address these challenges, it’s suggested that healthcare IT leaders adopt a proactive security strategy.

Investing in security tools is essential, but their adoption of the tools and ongoing maintenance are just as important.

“The data shows that even the most established email security tools are just a starting point in protecting patient data,” Paubox Chief Compliance Officer Rick Kuwahara said. “To stay compliant, organizations must continuously evaluate their implementations. That can mean adding in additional layers of defense.”