How inbound email security protects therapists from HIPAA violations

According to Paubox's What healthcare gets wrong about HIPAA and email security report, "In the first half of 2025, 107 email-related incidents were reported to HHS — on track to surpass the 180 breaches in 2024." This makes email the one of the largest sources of HIPAA breaches in healthcare.

According to Healthcare Data Breaches: Insights and Implications, hacking and IT incidents have become the dominant threat vector, with research showing that cyber-based attacks rather than physical theft or loss now represent the most prevalent forms of attack behind healthcare data breaches. The study reveals a shift in attack patterns, with over 90% of exposed health records in recent years resulting from hacking incidents.

Furthermore, research in Cyber Risk in Health Facilities: A Systematic Literature Review documented that the World Health Organization observed cyber-attacks increase to more than five times the level of the same period the previous year. The systematic literature review further noted that during COVID-19, the main cyber risks derived from the action of people and systems and technology failures, showing how human vulnerability and technological weaknesses create entry points for attackers.

The FBI's Internet Crime Complaint Center (IC3) 2024 Annual Report also puts emphasis on the severity of this threat. The report documents that phishing and spoofing schemes generated nearly 200,000 complaints in 2024 alone, representing one of the most frequently reported cyber crimes. 

These attacks normally involve fraudulent emails designed to trick recipients into clicking malicious links, downloading infected attachments, or revealing login credentials. According to the Cost of a Data Breach Report 2025, phishing has become the most common attack vector, accounting for 16% of all breaches, with an average cost of $4.8 million per incident.

Email vulnerability is more when you consider daily usage patterns. As Jeff Bell notes in Tips For Improving Your Email Privacy And Security for Forbes Technology Council, sending just 10 emails daily results in over 3,650 messages annually, and it's impossible to track where each message ultimately ends up. For therapists managing patient communications, this creates opportunities for PHI exposure.

Under HIPAA, therapists are required to implement reasonable safeguards to protect PHI. The Paubox report reveals that "In 2025 alone, OCR issued fines ranging from $80,000 to over $9 million for organizations whose email systems lacked enforced encryption or adequate risk analysis."

Understanding inbound email security

Unlike traditional spam filters that primarily block unwanted commercial messages, advanced inbound security solutions use multiple technologies to identify and neutralize phishing attempts, malware, and business email compromise schemes.

Bell's guidance reinforces that no security system is perfect. While modern email providers encrypt messages in transit and store data in secure centers, email accounts and networks remain vulnerable to attacks. 

The Paubox report found that "82% of healthcare IT leaders worry that their staff will miss a critical alert or skip a security step." This statistic shows why automated inbound security systems are crucial, they remove the burden of healthcare staff making mistakes.

These systems analyze incoming emails by:

• Examining sender reputation
• Scrutinizing email headers for signs of spoofing
• Scanning attachments for malware signatures
• Evaluating URLs for links to known malicious websites
• Machine learning algorithms can even detect subtle anomalies in email patterns that might indicate a compromised account or social engineering attempt.

The systematic literature review defines cyber risk as operational risks affecting the confidentiality, availability, or integrity of information or information systems. Analysis from Healthcare Data Breaches: Insights and Implications shows that email and network servers have become the primary locations where protected health information is compromised.

The systematic literature review also identified key vulnerabilities in modern healthcare technology, noting risks from telemedicine, electronic medical record, and mobile health technologies. For solo practitioners and small therapy practices that lack dedicated IT staff, managed inbound email security provides enterprise-grade protection without requiring technical expertise. 

Learn more: What is inbound email security?

How inbound security prevents HIPAA violations

By blocking phishing attempts before they reach therapists, these systems prevent the events that lead to violations.

Protection against credential theft

When a phishing email successfully tricks a therapist into entering their login credentials on a fake portal, attackers gain access to email accounts containing PHI. Inbound security solutions can detect these credential harvesting attempts by identifying fraudulent login pages and warning recipients before they disclose sensitive information.

The IC3 2024 Annual Report reveals that Business Email Compromise attacks, which often begin with credential theft, resulted in losses exceeding $2.7 billion. These schemes involve attackers impersonating trusted contacts to manipulate victims into unauthorized actions, including disclosure of sensitive information.

A finding from the Paubox report shows that "52% of email-related breaches involved Microsoft 365." The report explains that "most occurred despite 'encryption settings' being enabled because fallback delivery occurred when the recipient didn't support TLS 1.2 or higher." This reveals that many practitioners believe their email is secure simply because they use major platforms.

Read also: Top credential harvesting techniques

Prevention of malware infections

Ransomware attacks, often delivered through email attachments, can encrypt patient databases and backup files, making PHI inaccessible or forcing practices to pay criminals for decryption keys. The IC3 report documented over 3,100 ransomware complaints in 2024, though it notes these figures likely underrepresent the true numbers since many incidents go unreported. Advanced threat detection capabilities scan attachments in isolated environments before delivery, identifying malicious code that traditional antivirus software might miss.

Read also: How to secure healthcare email against malware

Defense against business email compromise

Business email compromise is when attackers impersonate trusted contacts to manipulate therapists into unauthorized disclosure of PHI. The Cost of a Data Breach Report 2025 reveals that malicious insider attacks resulted in the highest average breach costs at $4.92 million, while third-party vendor and supply chain compromises followed closely at $4.91 million. Research in Healthcare Data Breaches: Insights and Implications indicates that unauthorized internal disclosures represent a significant portion of breaches, often resulting from compromised accounts. By analyzing communication patterns and detecting account takeovers, inbound security can flag emails that appear to come from legitimate sources but actually originate from compromised accounts.

Read also: Unpacking the real threat behind business email compromise

The financial impact

The Cost of a Data Breach Report 2025 found that healthcare recorded the highest average breach cost among all industries at $7.42 million, marking the 12th consecutive year healthcare has topped this list. According to Healthcare Data Breaches: Insights and Implications, healthcare breaches typically cost $6.45 million compared to the average of $3.92 million for breaches in other industries. For individual therapy practices, even a smaller breach can result in costs that include forensic investigations, patient notification, credit monitoring services, regulatory fines, and potential legal settlements.

The research further demonstrates that the cost per breached healthcare record has been climbing steadily, reaching $429 per record, nearly three times higher than the average cost across all industries. For a small practice with just 1,000 patient records exposed, this could translate to over $400,000 in direct costs, not including the damage to reputation and patient trust.

The IC3 2024 Annual Report provides additional context stating that Individuals over 60 submitted over 147,000 complaints and experienced losses approaching $5 billion. Tech support scams, which often target this demographic, generated losses exceeding $982 million. These statistics show why a practice should project not just its system, but also be aware of how patients themselves may be targeted through related schemes.

Essential features for therapist practices

When evaluating inbound email security solutions, therapists should prioritize certain capabilities that align with HIPAA requirements. As Hoala Greevy, CEO of Paubox, states in the company's report, "Too many vendors still treat HIPAA as optional. If you're handling PHI without encryption or a BAA in place, you're creating liability."

Solutions like Paubox offer HIPAA compliant email security designed for healthcare providers, combining inbound threat protection with email encryption. Email encryption support ensures that communications containing PHI remain protected in transit. 

The Paubox report reveals that, "65% of portal users stop engaging after day one, and 22% cite difficulty navigating basic portal functions." When security measures become too difficult, staff and patients find workarounds that undermine compliance entirely.

Bell advises thinking carefully about what information is included in emails and attachments, noting that messages could end up in unintended hands. For therapists, this means never sending unencrypted PHI via email and carefully considering the sensitivity of every communication. 

Audit logging capabilities help practices meet HIPAA's documentation requirements by maintaining detailed records of blocked threats, attempted breaches, and security events. These logs can be used during compliance audits or in the unfortunate event that a breach must be investigated and reported.

Integrating email security into your HIPAA compliance program

Therapists should ensure their security solution integrates with existing systems, including encrypted email platforms, secure messaging services for patient communication, and electronic health record systems.

The Cost of a Data Breach Report 2025 also demonstrates the value of advanced security tools, finding that organizations using AI and automation extensively shortened their breach times by 80 days and lowered average breach costs by $1.9 million compared to organizations that didn't use these solutions. Additionally, the report reveals that attackers are increasingly leveraging AI themselves, with 16% of data breaches involving AI-driven attacks, most commonly AI-generated phishing (37%) and deepfake impersonation attacks (35%).

Therapists should maintain records of their security measures, including contracts with email security providers, configuration settings, and incident response procedures. This documentation demonstrates due diligence in protecting PHI and can mitigate penalties if a breach occurs despite reasonable precautions.

Read also: Inbound Email Security

FAQs

What steps should a therapist take to implement inbound email security?

Set up a HIPAA compliant provider with a Business Associate Agreement (BAA), configure it to scan all incoming mail, and test it with simulated phishing drills before full rollout.

How does inbound email security differ from outbound encryption?

Inbound security focuses on blocking threats before they reach your inbox, while outbound encryption protects PHI sent from your account during transit.

What should therapists do if they suspect a phishing email has been missed?

Immediately isolate the device, change all passwords, scan for malware, and report the incident to your email security provider and HIPAA compliance officer.