100% of healthcare IT leaders rate their breach detection as excellent. 58% got breached anyway.

100% of healthcare IT leaders rate their breach detection as Excellent or Good. 58% of them got breached anyway. Both numbers come from the same 170 people.

The numbers come from the Healthcare Email Security Maturity Index 2026, Paubox's new benchmark of U.S. healthcare IT leaders. Asked to rate their real-time breach detection, every respondent rated it Excellent or Good. In the same sample, 58% said their organization had been breached through email in the past 24 months, and 23% had been breached more than once.

What's broken

The Maturity Index scored each organization across eight dimensions of email security and mapped them to four tiers: Reactive, Developing, Proactive, and Leading. Seven of eight dimensions averaged Proactive or Leading. Encryption and recipient experience scored 2.39 out of 4, the lowest in the benchmark.

Among the 58% of organizations that had been breached, the top three post-breach actions were strengthening encryption policies (47%), adding phishing simulation training (44%), and changing email providers (42%). Encryption topped the list.

How encryption is failing in practice

Three findings on encryption from the survey:

54% of healthcare organizations encrypt every outbound email containing protected health information by default. The remaining 46% rely on manual triggers, partial department coverage, or no encryption at all.

26% of healthcare organizations block outbound email when transport layer security cannot be established with the recipient. 5% send the message anyway, in the clear. 68% redirect to a portal instead of a secure message center without account creation friction.

48% of healthcare organizations always require encrypted email recipients to log in to a portal or create an account to read the message. Among those, more than 1 in 3 report clinical staff bypassing the workflow.

"When more than a third of clinical staff are working around the encryption control, the control is not working," said Hoala Greevy, founder and CEO of Paubox. "Recipient experience is not secondary to security."

The detection paradox, examined

In Paubox's June 2025 report Healthcare IT is dangerously overconfident about email security, 42% of healthcare IT leaders rated their breach detection Excellent. Nine months later in the Maturity Index, 100% rate it Excellent or Good. Across both surveys, breach prevalence stayed at roughly 6 in 10 healthcare organizations every two-year period.

The Office for Civil Rights has been signaling where the breaches start. "Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information," former HHS OCR Director Melanie Fontes Rainer said in 2023, announcing OCR's first-ever HIPAA penalty for a phishing attack. The penalty went to Lafourche Medical Group, a Louisiana provider whose phishing breach exposed records of 34,862 individuals.

The cost of getting this wrong

Healthcare data breaches cost an average of $7.42 million per incident, the highest of any industry for 14 consecutive years, according to IBM's 2025 Cost of a Data Breach Report. Phishing is the leading initial access vector across industries.

64% of healthcare organizations in the Maturity Index have already experienced an AI-generated or AI-enhanced email attack. 38% have AI-based email threat detection fully deployed and actively monitored, leaving a 26-point gap between attack experience and operational defense. The FBI warned in December 2024 that AI-driven social engineering would scale rapidly.

What breached organizations are actually doing

Among the 58% of organizations that had been breached, the top three post-breach actions:

• 47% strengthened encryption policies
• 44% added or increased phishing simulation training
• 42% changed email providers or security vendors

18% made no significant changes after the incident. Roughly 1 in 5 breached organizations are operating the same email security setup that was in place when the breach happened.

What to do next

The Maturity Index closes with a six-step roadmap. The first three address the encryption findings:

1. Make encryption the default for outbound PHI.
2. Replace legacy portals with a secure message center.
3. Move training beyond annual compliance, with quarterly reinforcement.

Paubox Email Suite provides HIPAA compliant email by default across Google Workspace and Microsoft 365, delivering encrypted email directly to the recipient's inbox. More than 8,000 healthcare organizations use Paubox.

The full Healthcare Email Security Maturity Index 2026 is available now.