Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
According to Paubox’s 2025 Healthcare Email Security Report, email is the main attack vector in the sector, with Microsoft 365 accounting for 43% of all breaches.
Proofpoint was next, at 13%, followed by Barracuda Networks and Mimecast at 7%, and Google Workspace at 3.%.
The report found that many healthcare organizations are failing to implement fundamental email security protocols, with virtually all breached organizations lacking Mail Transfer Agent Strict Transport Security (MTA-STS) protections and exposing email communications to interception.
More than a third of Microsoft 365 users had Domain-based Message Authentication, Reporting, and Conformance (DMARC) in monitor-only mode, meaning a concerning volume of phishing attempts went undetected.
Notably, researchers found three-in-ten lacked any DMARC records at all. Meanwhile, 12% lacked Sender Policy Framework (SPF) records and four-in-ten had weak configurations, making it easier for attackers to spoof emails.
“HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA rules, and not wait for OCR to reveal long-standing HIPAA deficiencies," warned HHS Office for Civil Rights (OCR) director Melanie Fontes Rainer.
According to the report, there's been a 264% increase in ransomware attacks on healthcare organizations since 2018, with email acting as the main attack method.
Shockingly, though, only 1% of the analyzed healthcare organizations had a low-risk email security posture. Three-in-ten were categorized as high risk, meaning they had multiple security gaps that exposed them to major cybersecurity threats.
According to IBM, the average cost of a healthcare email breach is $9.8 million - and that's before you take into account HIPAA fines, which amounted to more than $9 million last year.
These include a $9.76 million settlement by Solara Medical Supplies, after a phishing attack gave hackers access to eight employee email accounts. More than 114,000 patient records were compromised.
RELATED WHITEPAPER
LA Cares was also hit with a $1.3 million fine over systemic security lapses that led to a breach.
"The increasing frequency and sophistication of cyber attacks in the health care sector pose a direct and significant threat to patient safety," said HHS deputy secretary Andrea Palm.
"These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures."
Email attacks show no sign of slowing down
Looking ahead, Paubox said it expects to see more attacks on cloud-based email systems, with attackers developing more sophisticated techniques to exploit misconfigurations and bypass existing security measures.
The use of AI in phishing attacks will also rise, it said.
As a result, organizations will have to work harder, with more healthcare firms required to move from optional security measures to mandatory enforcement of DMARC and SPF.
"The data shows that even the most established email security tools are just a starting point in protecting patient data," said Paubox chief compliance officer Rick Kuwahara.
"To stay compliant, organizations must continuously evaluate their implementations. That can mean adding in additional layers of defense."
MORE FROM ITPRO
-
How to implement a four-day week in techIn-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businessesIn-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victimsNews Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizationsNews A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Employee phishing training is working – but don’t get complacent
News Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
