Healthcare organizations are turning a blind eye to phishing attacks
A survey reveals that most attacks go unreported, putting patient data at risk
The vast majority of phishing attacks against the healthcare sector go unreported to security teams, leaving organizations unable to fully learn from their mistakes.
In a survey of 150 US-based healthcare IT leaders for secure email firm Paubox, six-in-ten said they had experienced at least one email security breach last year, and three-quarters that they expected even more security challenges this year.
The top risks were phishing, man-in-the-middle attacks, and password guessing, often through personal information revealed on social media.
However, IT leaders said 95% of phishing attacks went unreported to security teams, along with 96% of known email violations of the 1996 Health Insurance Portability and Accountability Act (HIPAA), aimed at protecting sensitive health information from disclosure without patient's consent.
As a result, these incidents weren't investigated, meaning that systems weren’t patched, staff weren’t alerted, and patients weren’t warned that their data may be at risk.
"We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach," said Matt Murren, CEO of healthcare IT support firm True North ITG.
"The phishing attack compromised user credentials and eventually deployed ransomware across the network. It shut systems down for two weeks. Appointments were delayed. Test results were inaccessible. Urgent care cases were diverted elsewhere. Patients lost trust. This isn’t just an IT failure — it’s a patient safety crisis."
The problem doesn't seem to be a lack of awareness amongst staff. Nine-in-ten said they carried out staff training.
Ryan Winchester, CareM director of information technology, said "no amount of training can completely eliminate human error, so businesses must have safeguards in place."
The report found that healthcare organizations currently allocate only 11–20% of their IT budgets to email security, despite email being their top risk area. One persistent problem is poor infrastructure, with 83% of healthcare IT leaders saying that legacy systems disrupt day-to-day operations.
"I’ve seen first-hand how legacy email platforms can quietly — but critically — undermine operational stability and efficiency across healthcare organizations" said Murren.
In larger healthcare networks, the most common challenges include high maintenance costs that drain IT resources, persistent security vulnerabilities, outdated and complex user interfaces, system performance bottlenecks, and limited support for mobile and remote working.
The result is reactive firefighting, with about 37% of healthcare IT leaders spending between 11 and 20 hours per week just resolving secure email tickets.
"Healthcare doesn’t need more patchwork fixes — it needs a mindset shift. Patients expect secure, convenient communication, and it’s on us to meet that standard," said CEO of Paubox Hoala Greevy.
MORE FROM ITPRO
- Are phishing tests a waste of time?
- 10 quick tips for identifying phishing emails
- Phishing tactics: The top attack trends
-
Google says AI is now being used to build zero-day exploitsNews Google cyber researchers think they’ve found the first AI-generated zero-day exploit
-
Changes to EU AI Act implementation deadlines welcomed by industryNews New implementation deadlines for the EU AI Act could help remove “genuine friction” for European companies
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
