Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
According to Paubox’s 2025 Healthcare Email Security Report, email is the main attack vector in the sector, with Microsoft 365 accounting for 43% of all breaches.
Proofpoint was next, at 13%, followed by Barracuda Networks and Mimecast at 7%, and Google Workspace at 3.%.
The report found that many healthcare organizations are failing to implement fundamental email security protocols, with virtually all breached organizations lacking Mail Transfer Agent Strict Transport Security (MTA-STS) protections and exposing email communications to interception.
More than a third of Microsoft 365 users had Domain-based Message Authentication, Reporting, and Conformance (DMARC) in monitor-only mode, meaning a concerning volume of phishing attempts went undetected.
Notably, researchers found three-in-ten lacked any DMARC records at all. Meanwhile, 12% lacked Sender Policy Framework (SPF) records and four-in-ten had weak configurations, making it easier for attackers to spoof emails.
“HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA rules, and not wait for OCR to reveal long-standing HIPAA deficiencies," warned HHS Office for Civil Rights (OCR) director Melanie Fontes Rainer.
According to the report, there's been a 264% increase in ransomware attacks on healthcare organizations since 2018, with email acting as the main attack method.
Shockingly, though, only 1% of the analyzed healthcare organizations had a low-risk email security posture. Three-in-ten were categorized as high risk, meaning they had multiple security gaps that exposed them to major cybersecurity threats.
According to IBM, the average cost of a healthcare email breach is $9.8 million - and that's before you take into account HIPAA fines, which amounted to more than $9 million last year.
These include a $9.76 million settlement by Solara Medical Supplies, after a phishing attack gave hackers access to eight employee email accounts. More than 114,000 patient records were compromised.
RELATED WHITEPAPER
LA Cares was also hit with a $1.3 million fine over systemic security lapses that led to a breach.
"The increasing frequency and sophistication of cyber attacks in the health care sector pose a direct and significant threat to patient safety," said HHS deputy secretary Andrea Palm.
"These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures."
Email attacks show no sign of slowing down
Looking ahead, Paubox said it expects to see more attacks on cloud-based email systems, with attackers developing more sophisticated techniques to exploit misconfigurations and bypass existing security measures.
The use of AI in phishing attacks will also rise, it said.
As a result, organizations will have to work harder, with more healthcare firms required to move from optional security measures to mandatory enforcement of DMARC and SPF.
"The data shows that even the most established email security tools are just a starting point in protecting patient data," said Paubox chief compliance officer Rick Kuwahara.
"To stay compliant, organizations must continuously evaluate their implementations. That can mean adding in additional layers of defense."
MORE FROM ITPRO
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
-
Google is dropping SMS authentication for QR codesNews Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) for Gmail according to insiders at the search giant.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
Threat actors are leaning on trusted services more than everNews Cyber threats are increasingly incorporating legitimate services in their attack chain, researchers warn.
