Research finds email misconfigurations still drive healthcare breaches

Paubox analysis indicates that longstanding email security gaps remain a major driver of healthcare cyber incidents.

What happened

Research analyzing healthcare breach data has found that email security weaknesses remain one of the most persistent risks for healthcare organizations. According to a 2026 analysis by Paubox, email remains a primary entry point for cyberattacks targeting healthcare providers, with many breaches stemming from compromised credentials and phishing campaigns rather than newly discovered software vulnerabilities. The analysis reviewed breach reports submitted to the U.S. Department of Health and Human Services Office for Civil Rights and identified at least 170 email-related breaches in 2025 involving exposure of electronic protected health information. Investigators also found that many organizations affected by email incidents lacked widely recommended safeguards such as strict Domain-based Message Authentication, Reporting and Conformance enforcement, a control that instructs receiving mail servers how to handle messages that fail authentication checks. Without such protections, phishing emails and spoofed messages can reach employees more easily and lead to unauthorized access to healthcare systems.

Going deeper

The findings suggest that many email-related incidents originate from configuration gaps rather than advanced exploitation techniques. Sender Policy Framework records, which allow organizations to specify which servers are permitted to send messages on behalf of a domain, were frequently missing or overly permissive among breached organizations. Another commonly absent safeguard was Mail Transfer Agent Strict Transport Security, a protocol that forces email servers to deliver messages only through encrypted connections and helps prevent interception in transit. Microsoft 365 environments accounted for a large share of the reported incidents, reflecting the platform’s widespread adoption across healthcare. Researchers said the platform’s built-in security tools do not guarantee protection if organizations fail to configure authentication and monitoring controls properly. As a result, attackers continue to rely on phishing, spoofing, and credential compromise because these methods remain effective against poorly configured email systems.

What was said

Paubox researchers concluded that many breaches are linked to persistent security gaps rather than emerging attack techniques. In the report the researchers said, “Future breaches are more likely to occur in environments where the same misconfigurations and security gaps have existed for years, rather than as the result of new attack techniques.” The researchers also noted that human behavior remains a contributing factor, especially when employees bypass security controls or encryption requirements to reduce workflow friction.

The bottom line

The findings suggest that many healthcare email breaches stem from longstanding configuration gaps rather than sophisticated new attack methods. Researchers say the industry continues to operate within a “visibility gap,” where misconfigured systems allow breaches to persist for extended periods before they are detected. The report What small healthcare practices get wrong about HIPAA and email security found that healthcare breaches in 2025 took an average of 224 days to detect and another 84 days to contain, totaling about 308 days. Security analysts also warn that relying on default cloud settings can create what one report describes as a “silent failure mode.” The analysis How Microsoft and Google put PHI at risk explains that Microsoft 365 may deliver a message in unencrypted cleartext if a secure encryption handshake fails, without alerting the sender. Meanwhile, the report Shadow AI is outpacing healthcare email security notes that about 95% of organizations suspect or report employees using generative AI tools for work without formal approval or oversight, creating additional pathways for sensitive information to move through existing security gaps. Together, the research suggests that misconfigurations, weak authentication controls, and human behavior remain central drivers of healthcare email breaches.

FAQs

Why is email such a common entry point for healthcare cyberattacks?

Email provides attackers with a direct way to interact with employees through phishing messages, malicious attachments, or spoofed communications that can lead to credential theft.

What is DMARC and why does it matter for healthcare organizations?

Domain-based Message Authentication, Reporting, and Conformance is an email authentication protocol that helps receiving servers determine whether a message claiming to come from a domain is legitimate.

What is MTA-STS?

Mail Transfer Agent Strict Transport Security is a security protocol that requires email servers to send messages through encrypted connections, preventing interception or tampering during transmission.

Why are credential-based attacks so effective?

Once attackers obtain valid usernames and passwords, they can access systems using legitimate authentication methods, making malicious activity harder to distinguish from normal user behavior.

What steps can healthcare organizations take to reduce email security risk?

Organizations can enforce email authentication protocols, enable multifactor authentication, monitor login activity for anomalies, and conduct regular risk analyses to identify weaknesses in email configurations.