Social engineering threats in healthcare

Social engineering attacks are among the most persistent and costly cybersecurity threats in the healthcare sector. As the study Social Engineering Attacks in US Healthcare: A Critical Analysis of Vulnerabilities and Mitigation Strategies explains, “the healthcare sector continues to experience the highest costs associated with data breaches, averaging $10.1 million per breach, in large part due to social engineering attacks.” These attacks manipulate human behavior, leveraging trust, urgency, fear, and authority to bypass security controls. The study also notes that “Social engineering attacks have become a prominent threat in the US healthcare sector, capitalizing on human psychology to breach security rather than targeting technical flaws directly. These attacks manipulate individuals into revealing confidential information or performing actions that compromise security, leveraging trust and human error rather than exploiting software vulnerabilities.”

For healthcare organizations handling large volumes of protected health information (PHI), the consequences of a successful social engineering attack can include data breaches, ransomware attacks causing system shutdowns, regulatory fines, and disruptions to patient care.

What is social engineering?

According to the Canadian Center for Cybersecurity, “Social engineering attacks occur when a threat actor uses social connection and manipulation to pressure or trick users into doing something that is against the best interest of your organization (like providing sensitive details, passwords, or financial information).” Cybercriminals leverage human psychology rather than technical vulnerabilities, exploiting traits such as trust, helpfulness, fear, urgency, and respect for authority. As the article further explains, threat actors often impersonate a known person, a reputable organization or vendor, or even a government employee. They may attempt to influence users into taking actions that grant access to systems, such as changing account passwords or sharing login credentials. Once inside, attackers can steal business and financial information, compromise user accounts, and potentially deploy malware.

Why healthcare is a target for cybercriminals

Healthcare organizations store large amounts of sensitive data, including PHI, financial information such as bank account and credit card details, personally identifiable information (PII) like Social Security numbers, and valuable intellectual property related to medical research and innovation. This data is sought after by cybercriminals.

According to the American Hospital Association (AHA) Center for Health Innovation, “Health care organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and nation-state actors… In fact, stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. Unfortunately, the bad news does not stop there for health care organizations — the cost to remediate a breach in health care is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record.”

Go deeper: Why healthcare is a major target for cyberattacks

Common types of social engineering attacks in healthcare

In 2024, the U.S. Department of Health and Human Services (HHS) released a report titled Social Engineering Targeting the Healthcare and Public Health (HPH) Sector, highlighting the types of social engineering attacks targeting the healthcare and public health sector. These include:

Phishing

Phishing is the most common social engineering tactic, accounting for over 70% of healthcare data breaches, according to Paubox. Attackers send fraudulent emails that appear to come from trusted sources, such as internal departments, vendors, or widely used services. Messages often create urgency or fear to trick recipients into clicking malicious links, opening attachments, or submitting credentials.

Whaling

Whaling is a targeted form of phishing targeting senior executives, board members, or other high-profile personnel. Attackers craft personalized emails or communications that appear to come from trusted business partners or internal leadership, often referencing strategic initiatives or urgent financial matters. According to the HHS, “Whaling often encourages victims to perform a secondary action, such as initiating a wire transfer of funds.”

Baiting

Baiting lures victims by offering rewards, like free software, medical resources, or confidential reports, to trick them into revealing personal information or installing malware.

Quid pro quo

In a quid pro quo attack, “The attacker requests sensitive information from the victim in exchange for a desirable service, i.e. fake tech support.” For example, an attacker might pose as IT support offering to resolve an urgent system issue but first asks the employee for login credentials or remote access.

Pretexting

Pretexting occurs when attackers create a fake scenario to persuade victims to disclose information or perform actions they otherwise wouldn’t. These scenarios “convince victims

to share valuable and sensitive data.” Pretexting in healthcare may include cybercriminals posing as auditors, vendors, or government regulators to gain access to PHI, financial data, or research records.

Smishing

Smishing, also known as SMS-phishing, uses text messages to deliver fraudulent requests. These messages often claim to be urgent updates from IT support, HR, or scheduling systems. In these attacks, the “scammers attempt to lure the user into clicking on a link, which directs them to a malicious site and downloads malicious software and content.”

Vishing

Vishing, or voice-phishing, involves using phone calls to manipulate victims. Attackers may impersonate IT staff, vendors, or regulators to persuade staff to provide sensitive information, reset passwords, or enable system access, taking advantage of the trust staff place in authority figures.

Read also: Social engineering tactics used against medical staff

Case study

OutcomesOne

In July 2025, medication therapy management firm OutcomesOne experienced a phishing attack that compromised a single employee’s email account for about one hour, exposing PHI for nearly 150,000 individuals. The compromised data included patient names, demographic details, healthcare provider information, health insurance details specifically for Aetna plan members, and medication records.

Go deeper: Email phishing breach at medication tech firm exposes data of 150K patients

PIH Health

In April 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $600,000 settlement with PIH Health, Inc., after a phishing attack on its email system exposed unsecured electronic protected health information (ePHI) of approximately 189,000 individuals. Affected information included names, addresses, Social Security numbers, diagnoses, lab results, treatment information, and more. The settlement also required the organization to implement corrective security measures and workforce training to prevent future incidents.

Go deeper: HHS Office for Civil Rights Settles Phishing Attack Breach with Health Care Network for $600,000

Reducing the risk of social engineering attacks

According to IBM, the following strategies can helpdefend against social engineering attacks:

Security awareness training

Employees should be trained to recognize phishing, pretexting, and other social engineering tactics. As the company states, “Security awareness training, combined with data security policies, can help employees understand how to protect their sensitive data and how to detect and respond to social engineering attacks in progress.”

Read more: What does cybersecurity training look like in 2025?

Access control policies

Strong access controls, including multi-factor authentication (MFA), adaptive authentication, and zero-trust frameworks, limit attackers’ access even if credentials are compromised.

Cybersecurity technologies

Technical defenses such as spam filters, secure email gateways, firewalls, antivirus software, and regular system updates help block attacks. As the article explains, “Spam filters and secure email gateways can prevent some phishing attacks from reaching employees in the first place.” Furthermore, advanced tools like endpoint detection and response (EDR) and extended detection and response (XDR) enable rapid detection and mitigation of threats introduced via social engineering.

Related: Healthcare and cybersecurity

Using advanced email security to prevent social engineering attacks

The most common entry point for social engineering attacks is email. To reduce this risk, Paubox recommends implementing advanced inbound email security solutions. These tools analyze incoming messages for suspicious behavior, tone, and context, helping identify phishing attempts, malicious attachments, or unusual requests before they reach employees’ inboxes.

For example, solutions like Paubox Inbound Email Security use generative AI to study the content and patterns of messages, flagging potentially harmful emails in real time. This added layer of defense means that healthcare organizations can prevent attackers from exploiting staff, stopping phishing attempts before patient data or other sensitive information is compromised.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

How can employees recognize a social engineering attack?

Employees should watch for:

• Unexpected requests for sensitive information
• Emails or messages with urgent language
• Messages from unknown or suspicious senders
• Requests to bypass standard procedures

Can social engineering attacks be fully prevented?

No single measure can completely prevent social engineering attacks. However, combining employee training, robust policies, and layered cybersecurity technologies greatly reduces the likelihood and impact of these attacks.

What should employees do if they suspect a social engineering attempt?

Employees should immediately report suspicious emails, calls, or messages to their IT or security team, avoid clicking links or downloading attachments, and follow internal incident response procedures.