Healthcare organizations are turning a blind eye to phishing attacks
A survey reveals that most attacks go unreported, putting patient data at risk
The vast majority of phishing attacks against the healthcare sector go unreported to security teams, leaving organizations unable to fully learn from their mistakes.
In a survey of 150 US-based healthcare IT leaders for secure email firm Paubox, six-in-ten said they had experienced at least one email security breach last year, and three-quarters that they expected even more security challenges this year.
The top risks were phishing, man-in-the-middle attacks, and password guessing, often through personal information revealed on social media.
However, IT leaders said 95% of phishing attacks went unreported to security teams, along with 96% of known email violations of the 1996 Health Insurance Portability and Accountability Act (HIPAA), aimed at protecting sensitive health information from disclosure without patient's consent.
As a result, these incidents weren't investigated, meaning that systems weren’t patched, staff weren’t alerted, and patients weren’t warned that their data may be at risk.
"We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach," said Matt Murren, CEO of healthcare IT support firm True North ITG.
"The phishing attack compromised user credentials and eventually deployed ransomware across the network. It shut systems down for two weeks. Appointments were delayed. Test results were inaccessible. Urgent care cases were diverted elsewhere. Patients lost trust. This isn’t just an IT failure — it’s a patient safety crisis."
The problem doesn't seem to be a lack of awareness amongst staff. Nine-in-ten said they carried out staff training.
Ryan Winchester, CareM director of information technology, said "no amount of training can completely eliminate human error, so businesses must have safeguards in place."
The report found that healthcare organizations currently allocate only 11–20% of their IT budgets to email security, despite email being their top risk area. One persistent problem is poor infrastructure, with 83% of healthcare IT leaders saying that legacy systems disrupt day-to-day operations.
"I’ve seen first-hand how legacy email platforms can quietly — but critically — undermine operational stability and efficiency across healthcare organizations" said Murren.
In larger healthcare networks, the most common challenges include high maintenance costs that drain IT resources, persistent security vulnerabilities, outdated and complex user interfaces, system performance bottlenecks, and limited support for mobile and remote working.
The result is reactive firefighting, with about 37% of healthcare IT leaders spending between 11 and 20 hours per week just resolving secure email tickets.
"Healthcare doesn’t need more patchwork fixes — it needs a mindset shift. Patients expect secure, convenient communication, and it’s on us to meet that standard," said CEO of Paubox Hoala Greevy.
MORE FROM ITPRO
- Are phishing tests a waste of time?
- 10 quick tips for identifying phishing emails
- Phishing tactics: The top attack trends
-
AWS hits back at EU cloud 'gatekeeper' designation hintsNews Gatekeeper designation under the legislation would force AWS and Microsoft to make concessions
-
Is the Top500 meaningless? Not so, says US national laboratory CTOIn-depth LINPACK may measure only one process, but there are real and meaningful use cases for exascale systems
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Beware of emails threatening a code of conduct review
News A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
