Healthcare organizations are increasingly being targeted in email attacks, research shows, and Microsoft 365 is often the weakest link.
More than half (52%) of all healthcare email breaches last year involved the Microsoft 365 business email platform, up from 43% the year before.
According to research from Paubox, there were 107 such attacks in the first half of this year. More than 1.6 million patient records were compromised in total, with the average breach exposing nearly 16,000 individual records.
The largest single breach, affecting United Seating and Mobility, exposed more than half a million records.
"Healthcare IT leaders are confident in their systems, until a breach happens," said Rick Kuwahara, chief compliance officer at Paubox.
"What we're seeing is a perfect storm of limited resources, expanding attack surfaces, and security strategies that rely too heavily on human vigilance."
Even some premium email security solutions aren't stopping breaches, the report notes, citing incidents involving Mimecast (8%), Proofpoint (6%), and Barracuda (5%) customers.
"The inclusion of these platforms suggests that setup, maintenance, and enforcement are more important than the brand name you buy," said Kuwahara.
Email security practices need to improve
With 79% of breached organizations having ineffective DMARC protection – up dramatically from 65% in 2024 – it appears that many healthcare providers are still not implementing basic email authentication measures.
"Strained IT teams often lack the time to continually test configurations, monitor delivery logs, or train every staff member on subtle indicators of risk. Without automation that enforces security by default, they’re left hoping staff make the right choice under pressure," the researchers said.
"This aligns with broader concerns across the industry — 82% of IT and cybersecurity leaders say they worry about missing threats due to the overwhelming volume of alerts and data they face, and 86% simultaneously worry about HIPAA compliance, often due to gaps in resourcing and skills."
Just over eight-in-ten (81%) of healthcare email breaches were classified as cyber attacks or IT incidents, with most consisting of credential compromise or phishing attacks.
Staff aren't helping either, the study found. More than four-in-ten healthcare providers admitted their teams had bypassed secure messaging at least once in the past year – and IT leaders estimate that only 5% of known phishing attacks are actually reported by employees to security teams.
Third-party vendors are often involved, with business associates such as billing vendors, imaging firms and outsourced IT providers representing 16% of all incidents.
According to IBM's 2025 Cost of a Data Breach Report, healthcare organizations face the highest breach costs of any sector, at an average of $11 million per incident.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Is all-photonics the future of networking?ITPro Podcast Using light to transmit data rather than relying on electronic components could slash latency
-
The honeymoon period is officially over for Microsoft and OpenAIAnalysis Microsoft and OpenAI are slowly drifting apart as both forge closer ties with respective rivals and reevaluate their long-running partnership.
