Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
According to Paubox’s 2025 Healthcare Email Security Report, email is the main attack vector in the sector, with Microsoft 365 accounting for 43% of all breaches.
Proofpoint was next, at 13%, followed by Barracuda Networks and Mimecast at 7%, and Google Workspace at 3.%.
The report found that many healthcare organizations are failing to implement fundamental email security protocols, with virtually all breached organizations lacking Mail Transfer Agent Strict Transport Security (MTA-STS) protections and exposing email communications to interception.
More than a third of Microsoft 365 users had Domain-based Message Authentication, Reporting, and Conformance (DMARC) in monitor-only mode, meaning a concerning volume of phishing attempts went undetected.
Notably, researchers found three-in-ten lacked any DMARC records at all. Meanwhile, 12% lacked Sender Policy Framework (SPF) records and four-in-ten had weak configurations, making it easier for attackers to spoof emails.
“HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA rules, and not wait for OCR to reveal long-standing HIPAA deficiencies," warned HHS Office for Civil Rights (OCR) director Melanie Fontes Rainer.
According to the report, there's been a 264% increase in ransomware attacks on healthcare organizations since 2018, with email acting as the main attack method.
Shockingly, though, only 1% of the analyzed healthcare organizations had a low-risk email security posture. Three-in-ten were categorized as high risk, meaning they had multiple security gaps that exposed them to major cybersecurity threats.
According to IBM, the average cost of a healthcare email breach is $9.8 million - and that's before you take into account HIPAA fines, which amounted to more than $9 million last year.
These include a $9.76 million settlement by Solara Medical Supplies, after a phishing attack gave hackers access to eight employee email accounts. More than 114,000 patient records were compromised.
RELATED WHITEPAPER
LA Cares was also hit with a $1.3 million fine over systemic security lapses that led to a breach.
"The increasing frequency and sophistication of cyber attacks in the health care sector pose a direct and significant threat to patient safety," said HHS deputy secretary Andrea Palm.
"These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures."
Email attacks show no sign of slowing down
Looking ahead, Paubox said it expects to see more attacks on cloud-based email systems, with attackers developing more sophisticated techniques to exploit misconfigurations and bypass existing security measures.
The use of AI in phishing attacks will also rise, it said.
As a result, organizations will have to work harder, with more healthcare firms required to move from optional security measures to mandatory enforcement of DMARC and SPF.
"The data shows that even the most established email security tools are just a starting point in protecting patient data," said Paubox chief compliance officer Rick Kuwahara.
"To stay compliant, organizations must continuously evaluate their implementations. That can mean adding in additional layers of defense."
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
