According to the 2024 HC3 presentation titled Social Engineering Attacks Targeting the HPH Sector, "In 2023, an average of 1.99 healthcare data breaches of 500 or more records were reported each day, and an average of 364,571 healthcare records were breached every day." This statistic shows the vulnerability of healthcare systems to social engineering attacks.
The scale of email-related breaches specifically has reached crisis levels. The Paubox Healthcare Email Security Report reveals that "180 healthcare organizations fell victim to email-related breaches in 2024" alone, highlighting how cybercriminals are increasingly targeting the communication channels that healthcare workers rely on daily.
The financial impact is equally devastating, as Obi Marizu notes in Social Engineering Attacks in US Healthcare: A Critical Analysis of Vulnerabilities and Mitigation Strategies that "the healthcare sector continues to experience the highest costs associated with data breaches, averaging $10.1 million per breach, in large part due to social engineering attacks." This figure aligns with recent data showing that "according to IBM, the true average cost of a data breach in healthcare is $9.8 million." Kathleen Ann Mullin, CISO at Healthmap Solutions, reinforces this vulnerability assessment, explaining in Healthcare IT News that "all healthcare organizations are target-rich environments for the value of their health, payment and insurance information, as well as for their methods of treatment and research information."
At its core, "social engineering is the use of deception, through manipulation of human behavior, to target and manipulate you into divulging confidential or personal information and using it for fraudulent purposes," as defined by the FBI in "Common Types of Social Engineering, Phishing Attacks in Healthcare." Unlike traditional hacking methods that exploit technical vulnerabilities, social engineering attacks manipulate human psychology and trust to gain unauthorized access to sensitive patient data, medical records, and healthcare systems.
As Marizu observes, "The human element remains the weakest link in most cybersecurity defenses, as many social engineering tactics specifically target individuals rather than technological systems." Medical professionals, trained to prioritize patient care and respond quickly to urgent situations, often become unwitting victims of carefully orchestrated manipulation campaigns.
The challenge is made worse by the fact that healthcare workers often fail to recognize these threats. The Paubox Report found that "only 5% of known phishing attacks are reported by employees to their security teams," indicating that the majority of social engineering attempts go undetected or unreported by the very people they target.
Read also: Attacks that can threaten HIPAA security
One of the common social engineering tactics targeting medical staff exploits the healthcare industry's culture of urgency. Attackers pose as fellow medical professionals, administrators, or IT personnel claiming there's an immediate crisis requiring swift action. They might call a nurse claiming to be from the IT department, stating that the electronic health record system has been compromised and immediate password verification is needed to restore patient access.
An example documented in "Social Engineering Attacks Targeting the HPH Sector" shows how attackers exploit technical vulnerabilities alongside urgency. According to the HC3 report, "The threat actor (TA) claimed that their phone was broken and could not log in to receive MFA tokens, convincing IT help desks to enroll a new device to gain access to corporate resources." This tactic works because healthcare workers are conditioned to respond rapidly to emergencies, and the technical explanation provides credible cover for the unusual request.
These attacks succeed because, as Marizu explains, "healthcare workers often lack specialized training in identifying and responding to sophisticated social engineering attacks. This issue is compounded by the high-pressure environment of healthcare settings, where staff may prioritize patient care over cybersecurity protocols." A fraudulent caller might claim that without immediate action, patient care will be compromised, triggering the medical professional's natural instinct to help. The attacker creates artificial time pressure, leaving little room for the target to verify the request through proper channels.
Social engineers pose as senior physicians, hospital administrators, regulatory officials, or vendors with whom the organization has established relationships. They leverage the healthcare industry's respect for authority and chain of command to manipulate staff into compliance.
Marizu defines this tactic as pretexting, which "involves an attacker fabricating a scenario to gain access to information or a secure area. In healthcare, this could involve impersonating a trusted authority, such as an IT professional or a healthcare provider, to manipulate staff into providing login credentials." As detailed in Common Types of Social Engineering, Phishing Attacks in Healthcare, "More advanced pretexting involves tricking victims into doing something that circumvents organizations security policies. For example, an attacker might say they're an external IT services auditor so that the organization's physical security team will let them into the building."
The HC3 report reveals behavioral patterns that healthcare staff should recognize: "The threat actors often asked the service desk support to repeat the question and paused for significant lengths before answering, likely due to the threat actor looking through notes or attempting to search for the answer to the question posed." These delays and requests for repetition are red flags that indicate someone may be consulting external information rather than responding from genuine knowledge.
Healthcare organizations rely on external vendors for medical equipment, pharmaceuticals, IT services, and consulting. Social engineers exploit these relationships by impersonating trusted vendors or creating fictional vendor relationships. They might pose as representatives from medical device companies requiring "urgent system updates" or pharmaceutical representatives needing access to prescription data for "regulatory compliance."
A campaign by the Zeon threat group demonstrated this type of attack: the group targeted 35,000 healthcare addresses by impersonating "legitimate healthcare organizations delivering software solutions focused on patient data." As Health-ISAC Chief Security Officer Errol Weiss explained, this represents "social engineering at its finest; psychological warfare" because "there are no evil links, no evil attachments; it's just all text, and they're able to craft something that scares people and it makes them do things they wouldn't ordinarily do." The attackers contacted employees directly, walking them through installations of "legitimate remote access tools" like Zoho and AnyDesk, after which "the bad guys have access to your computer." This campaign proved so effective that it informed the threat group's continued targeting of the healthcare sector, demonstrating how vendor impersonation exploits the trust healthcare workers place in legitimate software providers.
These social engineers exploit healthcare workers' commitment to patient care by creating fictional medical emergencies that require immediate access to systems or information. They might claim to be calling about a family member's critical condition, requesting access to medical records or system functions.
Medical staff may bypass security protocols when they believe patient safety is at stake. The consequences can be severe, as documented by Marizu: "In 2021, a ransomware attack caused the delayed treatment of patients in a major US hospital, leading to at least one fatality."
The broader ransomware threat has escalated, with data showing that "since 2018, ransomware attacks on healthcare organizations have surged by 264%," according to OCR reporting found in the Paubox Report.
Healthcare organizations operate under regulatory requirements, including HIPAA, FDA regulations, and various state and federal compliance mandates. Social engineers exploit this regulatory environment by posing as government inspectors, compliance auditors, or regulatory agency representatives demanding immediate access to systems or information.
These attacks leverage healthcare workers' fear of regulatory violations and potential penalties. Fraudulent callers might claim to be conducting surprise compliance audits or investigating reported violations, creating pressure for immediate cooperation. They use official-sounding language and reference actual regulatory requirements to establish credibility and urgency. For example in October 2024, the DEA issued an alert warning healthcare professionals about scammers impersonating DEA agents who were "threatening arrest, prosecution, imprisonment, and, in the case of medical practitioners and pharmacists, revocation of their DEA registration." These fraudsters used an "urgent and aggressive tone" and referenced actual "National Provider Identifier numbers and/or state license numbers when calling a medical practitioner," while also claiming "that patients are making accusations against the practitioner." The DEA emphasized that legitimate agents "will never contact medical practitioners or members of the public by telephone to request personal or sensitive information, demand money or any other form of payment."
Mullin explains in Healthcare IT News, these digital attacks encompass multiple vectors, "The methods commonly used include phishing – emails purporting to be from reputable individuals to induce individuals to reveal information or take an action, vishing – voice elicitation, smishing – using text messages, and physical intrusion." The scale of these attacks continues to grow, as Common Types of Social Engineering, Phishing Attacks in Healthcare reports that "The Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) found that phishing was the most frequently reported cybercrime of 2021. IC3 received 323,972 phishing complaints in 2021, compared to 241,342 in 2020."
The sophistication of these attacks is constantly evolving, with threat actors adapting their methods to bypass security measures. As noted in Common Types of Social Engineering, Phishing Attacks in Healthcare, "Most threat actors today continue to rely on phishing to compromise their targets. Using the various types of phishing threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to increase chances of successful exploitation."
The Paubox Report reveals a pattern in email security breaches, noting that "Microsoft 365 accounted for 43.3% of healthcare email breaches in 2024." Also, "37.2% of breached Microsoft 365 organizations had DMARC in 'monitor-only' mode," effectively allowing phishing attacks to go undetected.
These digital attacks might include fake communications about patient care updates, system maintenance notifications, or urgent administrative requests. The emails often contain malicious links or attachments designed to compromise systems or harvest credentials. The integration of these platforms into daily healthcare workflows makes staff more likely to interact with fraudulent communications. Recent case studies demonstrate the effectiveness of these tactics, as Marizu documents: "In 2022, a major US healthcare network was compromised by a spear-phishing attack that targeted a high-ranking executive... ultimately leading to a $15 million settlement due to HIPAA violations."
The emergence of artificial intelligence has escalated the sophistication and frequency of social engineering attacks against healthcare organizations. According to Social Engineering Attacks Targeting the HPH Sector, "Since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have increased by a staggering 1,265%."
The HC3 report documents an alarming case where "In early 2024, scammers used artificial intelligence-powered 'deepfakes' to pose as a multinational company's chief financial officer in a video call and were able to trick an employee into sending them more than $25 million." While this incident occurred outside healthcare, it shows the potential for AI-enhanced social engineering to bypass traditional verification methods that healthcare workers might rely on, such as video calls or voice recognition.
The vulnerability of healthcare organizations to these AI-enhanced attacks is further highlighted by research showing that "76% of enterprises lack sufficient voice and messaging fraud protection," according to the HC3 presentation. This gap in protection leaves healthcare workers exposed to the new generation of AI-powered social engineering attacks.
Successful social engineering attacks against medical staff typically begin with extensive reconnaissance phases where attackers gather detailed information about target organizations, staff members, and operational procedures. They research hospital websites, social media profiles, professional networking sites, and public records to create detailed profiles of potential targets and organizational structures.
This information allows attackers to craft personalized and credible attack scenarios. They might reference specific departments, ongoing projects, or recent organizational changes to establish legitimacy and trust. As highlighted in Common Types of Social Engineering, Phishing Attacks in Healthcare, organizations should recognize that threat actors can easily access detailed information, as "HC3 suggested that organizations remove company data from data brokers. Data brokers, such as Zoominfo, specialize in collecting data and selling it for third-party use. Bad actors can easily leverage this data and create highly specific phishing emails that are harder to detect."
Defending against social engineering attacks requires a multi-layered approach combining technology, policies, and human awareness. As Mullin emphasizes in Healthcare IT News, "All employees in health systems need to understand the common methods used by social engineers. The best way to detect social engineering is to learn how to recognize the methods and tactics and then train everyone in their organization."
However, the reality of human limitations must be acknowledged. As Ryan Winchester, Director of IT at CareM, notes: "No amount of training can completely eliminate human error, so businesses must have safeguards in place." This perspective is important given that despite increased cybersecurity awareness, "only 27% of IT leaders feel confident about avoiding breaches in 2025," according to the Paubox Report.
Healthcare organizations must implement security awareness training specifically tailored to medical environments and the social engineering threats facing healthcare workers. This training should include realistic scenarios and regular simulations that help staff recognize and respond appropriately to manipulation attempts.
The importance of employee reporting cannot be overstated. As Mullin notes in Healthcare IT News, "The most important way that CISOs and CIOs are made aware of attacks is by employee reporting." Organizations must create environments where staff feel empowered to report suspicious activities without fear of retribution or judgment.
The HC3 report recommends specific countermeasures for voice-based attacks, suggesting that staff should "paraphrase and repeat the dialogue during a phone conversation where sensitive information is being discussed if suspicious, to ensure accuracy" and "consider using a 'code word' that only your family or organization knows to verify the identity of the caller, if there is a suspicion of impersonation."
Learn more: HIPAA complaint email
Because health data combines financial, personal, and clinical information, making it more valuable than credit card details on the black market.
They often use open-source intelligence from hospital websites, social media, and professional directories to craft believable scenarios.
High-pressure work environments reduce critical thinking time, making staff more likely to comply with urgent requests.
Because staff are conditioned to trust familiar service providers, attackers can easily exploit these relationships with convincing impersonations.
They use industry jargon, reference real regulations, and mimic authority figures to reduce suspicion.