The Conduent Business Services breach, which impacted 62.2 million individuals, has now become the third-largest healthcare data breach of all time, according to the U.S. Office for Civil Rights’ updated breach portal on June 16, 2026. The attackers had been in the vendor’s systems for nearly three months, more than double what investigators initially thought. The case is an example of how one misstep by a business associate can cause hundreds of covered entities to lose control of patient data. It also fits a broader pattern noted in the 2026 Verizon Data Breach Investigations Report (DBIR) that breaches involving third parties were up 60% year over year and accounted for almost half of all breaches.

As breaches have become more frequent, organizations tend to focus on encryption, authentication, and intrusion detection, often overlooking the operational gap in delivery tracking for healthcare messages. Organizations send breach notices and other communications via portals, email systems, application programming interfaces (APIs), and vendors. Teams often assume that a message stamped with ‘sent’ has actually been sent out. Delivery status events can help determine whether a patient received the information they need, whether staff know to follow up, and whether an organization is meeting its legal obligations. So, delivery tracking is part of the evidence layer of healthcare and not something that can be ignored.

 

Why ‘sent’ is not enough in healthcare

A cross-sectional survey of over 800 veteran patients by Haun et al. found that 60.9% of respondents had used secure messaging for at least six months and used it to refill medications (66.7%), manage appointments (41.9%), look up test results (42.7%), and ask health-related questions (41.5%). Electronic communication tools aren’t optional extras; they manage logistics, clinical guidance, and payment workflows at scale. For example, an electronic health record (EHR) or email that does not get out of a system could delay care, confuse billing, or leave patients hanging on important next steps.

The 2026 DBIR shows how frequently human error happens in these communications. The report comments that the most common errors in the healthcare industry are misdelivery, loss of unencrypted devices, and misconfiguration. Misdelivery is when data is sent to the wrong person. Securing protected health information (PHI) is a challenge, even for organizations that have put in place encryption and policies.

What a healthcare organization needs to know:

  • The system that sent the message and whether it was sent over a trusted channel.
  • Whether the receiving server accepted, rejected, or temporarily deferred the message.
  • Whether the message bounced due to an invalid address or a block at the domain level.
  • If a fallback process is initiated (e.g., phone call, SMS, or postal mail).
  • If the event has been logged for audit and review.

 

Delivery tracking is not surveillance‑style tracking

Secure messaging is defined in a paper published in the AMIA Annual Symposium Proceedings Archive as “any electronic communication between a provider and patient that ensures that only those parties can access the communication.” The principle of privacy is that health communication should be confined to the intended sender and recipient. Secure email, patient-portal messages, and other functions, such as scheduling appointments, refilling medications, and receiving lab notifications, are common features in EHR systems and can empower patients when used responsibly. Those are common features in EHR systems and can be empowering to patients if used responsibly.

Operational delivery tracking is about events like Delivered, Temporary Failure, Permanent Failure, and Opened, which tell you whether communication workflows are working. Surveillance-style tracking, on the other hand, usually involves the use of third-party cookies, pixels, or analytics scripts that track user behavior across websites or apps. When misconfigured, such tracking technologies can leak PHI to advertisers or analytics providers. Across the full DBIR dataset, the human element was present in 62% of breaches. In healthcare specifically, the figure was 54%, according to the 2026 DBIR. Attackers frequently leverage unauthorized tracking channels that they can inject with malicious scripts or credentials.

 

Delivery tracking supports patient safety and access.

The Veterans Affairs survey mentioned above states that electronic messaging provides for medication refills, appointment management, and test result access. Patients also use secure messaging to ask questions and get follow-up instructions. In the introduction to the AMIA Annual Symposium Proceedings Archive paper, Guo et al. noted that secure messaging between patients and providers has “seen increasing adoption in the past decade and has resulted in new approaches to automating message triage and improving clinical efficiency.” Secure messaging has become a ubiquitous feature of EHR systems and supports a variety of functions, including the review of notes.

 

Cyberattacks show that communication infrastructure is care infrastructure

What makes the Conduent breach so interesting is that many of those impacted did not even know Conduent was handling their data. The healthcare providers’ claims processing and mailing were outsourced to an outside vendor, and they did not know they had been compromised until notification letters arrived. The takeaway is that communication infrastructure serves as care infrastructure.

When a vendor’s mailing system or email API fails or is compromised, patients may not receive appointment notices, bills, or instructions. The Conduent case also shows that business associates must report breaches, but their clients still need evidence that they delivered notifications. Delivery tracking integrated across internal systems and vendor services helps identify who contacted whom, which notices failed, and which addresses need remediation.

 

Delivery tracking creates an audit trail for compliance and accountability

The HIPAA Security Rule requires covered entities and business associates to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Delivery metadata underpins this requirement, providing an audit trail and proof of who sent what to whom and when. Specifically, the HITECH Act encourages the meaningful use of certified EHRs, including secure electronic messaging, to improve the quality of care and the security of patients’ information. Delivery logs enable organizations to show that they followed notification procedures and responded appropriately to message failures.

The 2026 DBIR’s healthcare snapshot points out that human error and misconfiguration remain chronic problems. Security researchers often uncover misdelivery and usually notify victims instead of using the data. Delivery tracking alone does not eliminate these risks, but it does make them easier to detect and remediate. If an email server misroutes messages or a staff member sends PHI to the wrong address, delivery logs can aid in internal investigations and corrective action. Without an audit trail, organizations may not know whether messages were misdelivered or whether they took follow-up actions.

 

What good delivery tracking looks like in healthcare

Events of General Status

The system should log events like sent, delivered, accepted, bounced, deferred, failed, opened, and clicked. For each event, it should log a timestamp, the sender system, the receiver address, and a status code.

 

Continuous alarms

Real-time webhooks should be triggered by delivery events to downstream systems. This allows teams to respond quickly to failures, resend messages, call patients, or correct invalid addresses. The DBIR says that it can take months to fix cloud misconfigurations, but delivery visibility shortens that cycle.

 

Logic for fallback

You also need to be able to track, retry, and have fallback channels. For example, if a message cannot be delivered after several attempts, the system could automatically generate a task for a phone call or a paper letter.

 

Role‑based access

Delivery logs have sensitive metadata. Access should be role-based (IT, compliance, and clinical staff), and systems should have audit trails of who viewed or exported data.

 

Retention, destruction

Logs must be retained for the required period, long enough to support audit and legal requirements, and must be securely destroyed. Retention policies should consider both successful and unsuccessful delivery events.

 

Vendor integration

Tracking should include internal systems and third-party services. Organizations should use standard webhook formats and APIs to avoid the need for manual reconciliation of vendor logs.

 

Privacy by Design

Delivery tracking should avoid capturing unnecessary data. It should not include message content or embed external trackers. Metadata should be encrypted at rest and in transit.

 

How Paubox fits in

The 2026 Healthcare Email Security Report analyzed 170 email‑related breaches from 2025. The report found that 53% of breaches involved Microsoft 365, an increase from 43% in 2024. It also noted that 41% of organizations were assessed as high risk and that 74% had ineffective DMARC protection. These statistics suggest that many healthcare organizations still struggle with basic email hygiene. Paubox’s research emphasizes the necessity of secure email delivery with strong authentication and real‑time monitoring.

For organizations using Paubox Email Suite or the Paubox Email API, delivery tracking can provide operational visibility. Developers can use events like delivered, opened, failed, and pending to build workflows that reroute failed messages, alert staff, or trigger compliance notifications. However, as noted above, delivery tracking alone does not make a workflow HIPAA compliant.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

What is delivery tracking in healthcare?

Delivery tracking is the process of monitoring what happens to a digital message after it is sent.

 

Can delivery tracking involve PHI?

Yes, it can. Even metadata can reveal sensitive information if it includes patient identifiers, appointment categories, message labels, or links to healthcare services.

 

What should developers build into healthcare delivery tracking?

Developers should build clear event statuses, secure logs, webhook reliability, failure alerts, retry logic where appropriate, access controls, retention rules, and escalation workflows.