A deeper understanding of attacks on healthcare

Criminal organizations target healthcare because patient information is central to billing, scheduling, referrals, labs, imaging, portals, and email communications. One compromise unlocks a long list of secondary abuses, and healthcare workflows create many chances for attackers to slip in through the normal work.

A 2019 commentary in JAMA captured the basic incentive in plain terms, explaining that “Healthcare data are attractive to cyber criminals because they contain financial and personal data, can be used for blackmail, and most valuable, are ideal for fraudulent billing.”

Criminal incentives behind healthcare targeting

Financial gain remains the primary motivation behind healthcare data theft. Medical records support multiple forms of fraud at once and retain value long after a stolen credit card is canceled. Paubox notes that stolen patient information can be reused for identity theft or to impersonate patients when obtaining medical services. Criminal marketplace pricing shows the demand clearly, with a driver’s license reportedly selling for about $20 while a complete identity package can reach $1,000. Attackers treat healthcare records as a versatile fraud resource: names and dates of birth support identity fraud, insurance details enable billing abuse, contact information strengthens phishing attempts, and medical history can be used for extortion or social engineering.

Read more: What is social engineering?

How stolen healthcare data gets used after a breach

Ransomware incidents often attract immediate attention due to visible service disruptions, while less obvious forms of data misuse can persist undetected for extended periods. According to Paubox, stolen healthcare records are commonly reused in follow-on attacks, including targeted phishing campaigns and blackmail attempts. The report also notes that many healthcare systems were originally designed for rapid access and clinical efficiency rather than today’s cyber threat landscape, leaving organizations with large volumes of sensitive patient data stored in environments that are difficult and challenging to secure.

Criminal groups can profit whether they exfiltrate data, encrypt systems, impersonate staff, or reuse credentials elsewhere. A single mailbox takeover can expose patient attachments and also provide a launchpad for internal impersonation.

Disruption of patient care when systems go down

Operational disruption directly affects patient care because hospitals rely on timely access to electronic records, lab orders, phone systems, and patient portals. A widely cited 2019 working paper examining hospital data breaches and care outcomes found measurable harm following breach events, reporting that “A data breach was associated with a 0.338 percentage point increase in the 30-day AMI mortality rate.” The authors further noted that breaches “may disrupt the processes of care that rely on health information technology,” linking cybersecurity incidents to real clinical consequences.

Real incidents show how quickly healthcare shifts into manual mode. Paubox’s coverage of the Ascension ransomware event states that the attack affected systems, including MyChart electronic health records, phones, and systems for ordering medical tests and medications.

One line in the same report captures the operational reality during disruption, stating that “employees had to track procedures and medications manually.”

Industry patterns and 2025 trends that kept repeating

Reported breach totals continue to change as investigations conclude and disclosures are finalized, however underlying trends remain steady. Many large healthcare incidents are tied to vendor ecosystems, shared technology platforms, and breaches that remain undetected for extended periods. A TechTarget analysis noted that healthcare organizations continued reporting major breaches throughout 2025, affecting more than 35 million individuals, while also explaining that year-end figures frequently shift due to investigative backlogs and operational disruption during incident response. Email systems remained a primary exposure point across healthcare workflows. Paubox’s 2025 email breach summary stated that “In 2025, the U.S. Department of Health and Human Services recorded 170 email-related healthcare breaches affecting over 2.5 million individuals,” and reporting from ITPro added that “More than half (52%) of all healthcare email breaches last year involved the Microsoft 365 business email platform.”

ITPro also quotes Paubox’s Rick Kuwahara on what the sector keeps running into, saying “What we’re seeing is a perfect storm of limited resources, expanding attack surfaces, and security strategies that rely too heavily on human vigilance.”

Breaches from 2025 that show how attacks play out

Large breach statistics become clearer when viewed through specific incidents. Paubox’s 2025 breach roundup identified several major healthcare events, including Aflac affecting more than 22.6 million individuals, Conduent Business Services impacting over 10.5 million people, Yale New Haven Health System affecting about 5.56 million individuals, and Episource involving roughly 5.42 million records. Incidents of this scale often stem from shared vendors serving multiple healthcare organizations or large health systems managing data across numerous facilities and services. The broader lesson centers on how interconnected systems expand exposure and how delayed detection allows breaches to grow before they are discovered.

Defensive measures that reduce risk without breaking workflows

Security programs in healthcare work best when protections align with real clinical workflows, where email, patient portals, EHR access, vendors, and remote accounts overlap and create multiple entry points for attackers. The American Hospital Association’s 2025 review notes that the U.S. Department of Health and Human Services Cybersecurity Performance Goals focus on defending against common threats such as phishing, stolen credentials, and exploitation of known vulnerabilities. Healthcare organizations have also learned hard lessons about third-party risk, with one health system leader quoted in an AHA Knowledge Exchange paper saying, “You can’t just expect it; you have to trust but verify.” Separate reporting from Help Net Security found that 81% of healthcare data policy violations involved regulated health information, while widespread generative AI adoption introduced additional exposure, with 44% of AI-related violations involving regulated data. Effective defenses reduce human error through automatic encryption, stronger authentication, continuous monitoring for mailbox takeovers, and tighter vendor oversight. Paubox’s encrypted email delivery helps secure messages automatically without changing how healthcare teams work.

Learn more: Paubox Inbound Email Security | Generative AI email security

FAQs

Why can a single breach create multiple downstream issues?

Healthcare environments are highly interconnected. One compromised email account or login can expose conversations, shared systems, and partner access at the same time. Attackers often use that initial foothold to explore quietly, expanding access before anyone realizes what happened.

Why do some healthcare breaches become public long after the attack begins?

Not every incident causes immediate outages or visible damage. In many cases, attackers focus on observation and data collection rather than disruption. Detection may come weeks or months later, followed by forensic investigation and regulatory review before disclosure.

Why does email continue to appear in so many healthcare incidents?

Clinical coordination still relies heavily on email. Referrals, patient updates, vendor communication, and administrative decisions move quickly through inboxes, especially in time-pressured environments.

What part do vendors play in large healthcare breaches?

Modern healthcare depends on external platforms for billing, analytics, scheduling, and data exchange. When a vendor experiences a security failure, the impact can extend across multiple health systems that rely on the same service or shared integrations.

Which security measures help reduce risk without slowing clinical work?

Approaches that operate in the background tend to work best. Automatic encryption, strong authentication, early detection of suspicious access, and closer oversight of connected vendors protect sensitive information while allowing clinicians and staff to continue working normally.