Email compromises continue to hit healthcare at alarming rate

An increasing number of providers are reporting inbox-based breaches that expose patient information and lead to costly investigations.

What happened

According to Information Security Media Group, more than 150 email-related breaches have been reported to the U.S. Department of Health and Human Services so far this year, affecting nearly 2.2 million people. Email compromises account for more than a quarter of all incidents reported in 2025. The largest email incident involved United Seating and Mobility (Numotion), which notified almost 500,000 individuals after attackers accessed employee inboxes. Experts note that phishing and social engineering remain the most common entry points, and healthcare organizations continue to face operational pressure as attackers shift tactics and exploit human error.

Going deeper

Email remains one of the most exposed communication channels in healthcare. Workforce members interact with external contacts daily, and inboxes often contain patient scheduling details, insurance information, and internal workflow data that can be used for further compromise. Investigators note that attackers rely on messages that imitate familiar service notifications or internal instructions, which makes detection difficult for staff. Even with security awareness training in place, phishing emails continue to bypass technical controls and reach users, leading to credential theft and unauthorised access to cloud-based mail platforms. The adoption of generative tools by threat actors has also raised concerns about the sophistication and volume of phishing activity.

What was said

Security specialists interviewed about the trend state that phishing succeeds because it targets human decision-making rather than system vulnerabilities. They described how urgency cues, false support messages, and impersonation of trusted services continue to influence users into clicking unexpected links or approving fraudulent prompts. They also stressed that inbox-based compromises often trigger lengthy data reviews, regulatory reporting requirements, and patient notifications because email accounts typically store unstructured sensitive data. Recommended controls include enforcing strong authentication, applying conditional access rules, and tightening identity verification procedures for remote support requests.

The big picture

Paubox’s State of Security Report notes that email breaches “represent the single largest source of cybersecurity incidents and financial liability in the healthcare sector,” a trend reflected in this case. The report shows that “180 healthcare organizations reported email-related security breaches” between January 2024 and January 2025, and the first half of 2025 alone saw “107 email-related incidents” affecting more than 1.6 million people. These figures show how easily a single compromised inbox can expose large volumes of patient data and why healthcare organizations are being pushed to strengthen email security, review access controls, and cut their reliance on unsecured communication workflows.

FAQs

Why do email breaches remain so widespread in healthcare?

Email connects healthcare workers to external contacts throughout the day, which exposes users to ongoing phishing attempts and makes it easier for attackers to obtain credentials.

What type of data is usually exposed in inbox breaches?

Email accounts often contain scheduling files, referral documents, insurance forms, internal communications, and other unstructured information that may include protected health information.

Does multi-factor authentication prevent these incidents?

It reduces risk but does not eliminate it. Attackers often use phishing kits or social engineering to capture MFA prompts, session cookies, or approval codes.

Why do these incidents trigger costly investigations?

Providers must assess every exposed mailbox, determine what information was accessible, notify affected individuals, and address regulatory obligations, which can take a lot of time and resources.