Despite increased investment in cybersecurity, healthcare organisations continue to face serious risks from email-based threats. In the year 2024 alone, 180 healthcare entities reported email-related breaches to the U.S. Department of Health and Human Services. These breaches did not only compromise sensitive patient data but also resulted in significant financial penalties, operational disruptions and reputational damage. While many IT leaders estimate the cost of a HIPAA violation to be around €230,000 ($250,000), IBM places the average cost of a healthcare data breach at a staggering €9 million ($9.8 million).
The 2025 Healthcare Email Security Report by Paubox reveals that many organisations continue to rely solely on premium platforms such as Microsoft 365 without ensuring that security settings are correctly configured or that essential protections are in place. This has left critical gaps in their defences. The report emphasises the necessity of integrating layered solutions to close these vulnerabilities and achieve genuine compliance.
Email: Healthcare’s Weakest Security Link
Email remains the principal communication tool in healthcare settings, yet it is also the weakest point in many organisations’ cybersecurity infrastructure. The most common attack vectors include phishing, spoofing and impersonation, credential theft, malware, ransomware and insider fraud. Each of these exploits the vulnerabilities of users or the absence of essential email protections. Phishing emails trick employees into disclosing credentials or clicking malicious links, yet only 5% of such attacks are reported by staff to their security teams. Spoofing tactics involve falsifying the sender’s address to make emails appear to originate from trusted sources, often leading to unauthorised data transfers or fraudulent transactions. In cases of credential theft, attackers use stolen or weak passwords to gain access to email accounts, as seen in the Warby Parker breach, which compromised nearly 200,000 records.
Ransomware is also commonly distributed via email, encrypting files and demanding payment for restoration. Insider threats remain an ongoing concern, with employees misusing access privileges to steal or leak patient data. These attack types exploit misconfigured systems and poor awareness, underlining the pressing need for stronger authentication protocols and threat detection mechanisms.
The Microsoft 365 Paradox and Misconfiguration Crisis
Microsoft 365 continues to be the most widely adopted email platform in the healthcare sector. However, this widespread use also makes it a prime target for cybercriminals. In 2024, Microsoft 365 was the provider involved in 43.3% of all email-related breaches. While the platform includes built-in security features, these are frequently underused or incorrectly configured. A key example is DMARC, an email authentication protocol that helps prevent spoofing. Among breached Microsoft 365 users, 37.2% had DMARC set to “monitor-only” mode, meaning spoofed emails were still delivered. Additionally, 24.4% of Microsoft 365 users were rated as high risk, even when they had purchased the E5 security licence, the platform’s most advanced protection tier.
SPF, another essential email verification method, was missing entirely in 12.2% of organisations. Even when present, 40% used soft SPF, a weaker configuration that allows spoofing attempts to succeed. DMARC was missing in 30.6% of cases, and 34.4% had it in a passive mode. These findings show that organisations often assume their systems are secure simply because they have invested in premium tools. However, without proper setup and monitoring, these tools provide little real protection. A false sense of security persists, leaving organisations vulnerable to attacks they believed they had already prevented.
Escalating Consequences and Regulatory Pressure
The consequences of inadequate email security in healthcare are substantial. In one prominent case, Solara Medical Supplies suffered a breach when a phishing email allowed unauthorised access to eight employee accounts. The result was the exposure of more than 114,000 patient records. This led to a €2.75 million ($3 million) settlement with the Office for Civil Rights and a €9 million ($9.76 million) class action payout. Such incidents are not isolated, and many similar cases are listed on the OCR’s public breach portal.
Must Read: The Escalating Cybersecurity Landscape in Healthcare
Regulatory bodies are tightening expectations. The HIPAA Security Rule now requires organisations to conduct thorough risk analyses and to implement both required and addressable security measures. When addressable measures are not applied, organisations must document why and propose suitable alternatives. Failing to do so can result in enforcement action. The future outlook includes a rise in attacks against cloud-based email platforms, such as Microsoft 365, and the emergence of AI-driven phishing schemes. These developments will likely accelerate the introduction of mandatory compliance with email authentication standards like DMARC and SPF.
At the same time, pressure is growing for increased cybersecurity investment. Legislation such as the proposed Health Infrastructure Security and Accountability Act aims to bring greater consistency to healthcare data protection requirements. In this regulatory climate, ignoring or delaying action on email security is becoming an increasingly costly mistake.
The state of email security in healthcare remains a critical concern. Even with growing budgets and access to advanced tools, many organisations still fall victim to breaches due to poor configuration, inadequate monitoring and human error. Microsoft 365, despite its dominance, is not sufficient on its own unless properly implemented. The scale of risk is only increasing, as threat actors become more sophisticated and as regulatory bodies raise their expectations. Healthcare providers can no longer afford to view email security as a compliance task or a technology purchase. Instead, it must be treated as a strategic priority requiring continuous attention. In a sector where patient trust, legal compliance and financial health are all at stake, robust email security is not optional—it is imperative.
Source: Paubox
Image Credit: Freepik
