Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
According to Paubox’s 2025 Healthcare Email Security Report, email is the main attack vector in the sector, with Microsoft 365 accounting for 43% of all breaches.
Proofpoint was next, at 13%, followed by Barracuda Networks and Mimecast at 7%, and Google Workspace at 3.%.
The report found that many healthcare organizations are failing to implement fundamental email security protocols, with virtually all breached organizations lacking Mail Transfer Agent Strict Transport Security (MTA-STS) protections and exposing email communications to interception.
More than a third of Microsoft 365 users had Domain-based Message Authentication, Reporting, and Conformance (DMARC) in monitor-only mode, meaning a concerning volume of phishing attempts went undetected.
Notably, researchers found three-in-ten lacked any DMARC records at all. Meanwhile, 12% lacked Sender Policy Framework (SPF) records and four-in-ten had weak configurations, making it easier for attackers to spoof emails.
“HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA rules, and not wait for OCR to reveal long-standing HIPAA deficiencies," warned HHS Office for Civil Rights (OCR) director Melanie Fontes Rainer.
According to the report, there's been a 264% increase in ransomware attacks on healthcare organizations since 2018, with email acting as the main attack method.
Shockingly, though, only 1% of the analyzed healthcare organizations had a low-risk email security posture. Three-in-ten were categorized as high risk, meaning they had multiple security gaps that exposed them to major cybersecurity threats.
According to IBM, the average cost of a healthcare email breach is $9.8 million - and that's before you take into account HIPAA fines, which amounted to more than $9 million last year.
These include a $9.76 million settlement by Solara Medical Supplies, after a phishing attack gave hackers access to eight employee email accounts. More than 114,000 patient records were compromised.
RELATED WHITEPAPER
LA Cares was also hit with a $1.3 million fine over systemic security lapses that led to a breach.
"The increasing frequency and sophistication of cyber attacks in the health care sector pose a direct and significant threat to patient safety," said HHS deputy secretary Andrea Palm.
"These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures."
Email attacks show no sign of slowing down
Looking ahead, Paubox said it expects to see more attacks on cloud-based email systems, with attackers developing more sophisticated techniques to exploit misconfigurations and bypass existing security measures.
The use of AI in phishing attacks will also rise, it said.
As a result, organizations will have to work harder, with more healthcare firms required to move from optional security measures to mandatory enforcement of DMARC and SPF.
"The data shows that even the most established email security tools are just a starting point in protecting patient data," said Paubox chief compliance officer Rick Kuwahara.
"To stay compliant, organizations must continuously evaluate their implementations. That can mean adding in additional layers of defense."
MORE FROM ITPRO
-
Microsoft 365 price hikes have landed the tech giant in hot waterNews Australian regulators have filed a lawsuit against Microsoft for allegedly misleading users over Microsoft 365 pricing changes.
-
Why Dedicated Internet Access (DIA) could be the key to AI performance gainsHigh speed, private internet connections could be a critical enabler for enterprises driving AI adoption
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victims
News Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizations
News A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
