170 email breaches hit healthcare in 2025, and most organizations saw it coming

In 2025, 170 healthcare organizations reported email-related breaches to the U.S. Department of Health and Human Services (HHS). Those breaches exposed protected health information (PHI) for 2.5 million individuals.

According to Paubox's 2026 Healthcare Email Security Report, which surveyed more than 300 healthcare IT leaders alongside the HHS breach data, the people running those email defenses already knew where the gaps were. 60% rated their email security as inadequate. 72% said the infrastructure needed a major overhaul. The breaches were not surprises. They were the predictable result of known weaknesses going unaddressed.

The 170 figure is just under the record 180 email breaches reported in 2024. Two consecutive years above 170 mark a new floor for healthcare email risk, not a peak. The cost is climbing alongside the count. IBM's Cost of a Data Breach 2025 report puts the average healthcare breach at $7.42 million, the most expensive of any industry for the 12th consecutive year.

60% of healthcare organizations admit their email defenses are failing

The survey question was simple: are your email security measures adequate? 60% of healthcare IT leaders said no. 72% said their infrastructure needs a major overhaul. When the people running the systems describe them as insufficient, the breach numbers shift from bad luck to expected outcome.

The most common defense in place tells the same story. 65% of healthcare organizations rely on basic spam filters as their primary email defense. Spam filters were a reasonable baseline a decade ago. They were built to catch bulk junk mail, not credential theft, business email compromise (BEC), or AI-generated phishing. Running 2025 healthcare email through 2015 spam filtering is a known mismatch, and the breach numbers reflect it.

Only 23% of healthcare IT leaders said they were confident their email security is fully effective. 77% have doubts about their own defenses. These are the people responsible for protecting patient data. When more than three out of four say the systems they oversee are not where they need to be, the gap is internal knowledge of risk that has not yet translated to action.

89% say AI-powered detection is critical. 44% have deployed it.

89% of healthcare IT leaders identified AI and machine learning as critical for email threat detection. Only 44% have actually deployed AI-powered email security tools. The 45-point gap between what IT leaders say is critical and what they have rolled out is the single largest disconnect in the report.

The threat side has already moved. According to KnowBe4's March 2025 Phishing Threat Trends Report, 83% of phishing emails sent between September 2024 and February 2025 used AI to evade traditional filters. Phishing messages that once carried obvious grammatical errors now read like legitimate internal communications. They mimic tone, reference real projects, and pass the quick visual check most employees rely on.

Among the healthcare organizations that have deployed AI for email security, usage skews toward basic functions: 64.9% use it for blocking spam, 58.3% for detecting malware attachments, 55.6% for flagging suspicious links. Fewer than half use it for behavioral analysis or monitoring unusual login activity, where AI's pattern-recognition advantage actually matters.

Paubox Email Suite Plus and Paubox Email Suite Premium include AI-powered inbound email security that uses generative AI to detect phishing, spoofing, and BEC. The technology analyzes tone, sender behavior, and message intent, learning each organization's email environment over time.

57% train once a year. 5% of attacks get reported.

57% of healthcare organizations conduct email security training only once a year. Only 16% train quarterly or more. At the same time, 85% of healthcare IT leaders identify employee negligence as a top email security risk.

Phishing tactics shift on a weekly basis. An employee trained in January is working with outdated pattern recognition by March. AI-generated attacks compound the problem because the visual cues from older training modules no longer apply. The training schedule and the threat schedule are out of sync, and 85% of IT leaders already know it.

The reporting numbers confirm the gap. Healthcare IT leaders estimate that only 5% of known phishing attacks are reported by employees to their security teams. For every 100 known attacks, employees flag five. The other 95 sit in inboxes. Without reports, security teams have almost no real-time signal about what is reaching staff.

A parallel pattern shows up in compliance. The report found that only 4% of known HIPAA email violations are reported by employees. Both numbers point to a culture where staff do not see reporting as their job, do not know how to report, or do not trust that anything will come of it.

What healthcare IT leaders should do with this data

The report points to three areas where measurable progress is possible inside one budget cycle.

• Replace basic spam filtering with layered email security. The 65% of organizations on basic filters are operating with a known gap. Inbound threat detection, outbound data loss prevention (DLP), and encryption address the specific attack types driving breach numbers. Paubox covers all three through the Email Suite product line.
• Deploy AI-powered detection. 89% of leaders agree it is critical. Budget and procurement should reflect that. Behavioral analysis and anomaly detection are the deployments that pay back fastest because they catch attack patterns the spam-filter generation was never built to see.
• Move to quarterly training at minimum. Annual training leaves staff unprepared for 11 months of the year. Shorter sessions tied to real phishing examples from the past 30 days build recognition skills that hold up against AI-generated attacks.

69% of healthcare IT leaders plan to increase their email security budget in the next 12 months. The spending intent is there. Whether those dollars go toward AI-powered detection and authentication enforcement, or toward incremental upgrades to the same tools 60% already describe as inadequate, will determine the 2026 breach numbers.

The path to fewer breaches runs through HIPAA compliant email

The breach numbers, the inadequacy admission, the AI gap, and the training cadence all share a common thread. Healthcare email security depends on layered defenses that authenticate senders, encrypt messages by default, and apply AI-powered detection to inbound threats. HIPAA compliant email covers the encryption side, but email security is only HIPAA aligned when the inbound, outbound, authentication, and reporting layers all work together.

Paubox is rated #1 on G2 for email encryption in healthcare and is trusted by more than 8,000 healthcare organizations. Paubox seamlessly encrypts emails, with no portals, passwords, or plugins for the recipient. Every outbound email is encrypted by default using TLS 1.2 or higher and 256-bit AES encryption. Recipients read encrypted email directly in their inbox. On the inbound side, AI-powered detection surfaces the AI-generated phishing that 65% basic-spam-filter coverage cannot catch.

Read the full 2026 Healthcare Email Security Report for the survey methodology, complete breach analysis, and section-by-section findings on authentication, Microsoft 365 risk, AI adoption, and training.

FAQs

How many email-related breaches did healthcare report in 2025? 170, affecting 2.5 million individuals. The 2024 figure was 180. Two consecutive years above 170 mark a new floor for healthcare email risk.

What is the average cost of a healthcare data breach? $7.42 million, according to IBM's Cost of a Data Breach 2025 report. Healthcare has held the most-expensive position for 12 consecutive years.

How many healthcare organizations describe their email security as inadequate? 60%, per Paubox's 2026 Healthcare Email Security Report. 72% say the infrastructure needs a major overhaul.

What share of phishing emails now use AI? 83%, according to KnowBe4's March 2025 phishing report. The figure covers phishing emails sent between September 2024 and February 2025.