According to the Paubox IT Survey Report 2025, 60% of healthcare organizations reported at least one email related security incident in 2024. The report found 83% of organizations said legacy systems were interfering with day-to-day operations, and 37.7% of IT teams were spending up to 20 hours a week fixing secure email issues alone.

Healthcare email risks mostly stem from the gap between knowing something and doing something about it. And when an incident occurs, the costs go far beyond the inbox. One successful phishing email can trigger regulatory investigations, operational disruption, and financial penalties. Recent enforcement actions show how quickly a single compromised inbox can become an organization-wide incident.

 

What one email can set in motion

In 2023, the OCR issued its first HIPAA penalty that was directly tied to a phishing attack. The penalized organization was the Louisiana provider Lafourche Medical Group. The personal data of 34,862 individuals was exposed after an employee of the company received a phishing email that compromised their credentials. A financial penalty and a corrective action plan were part of the subsequent enforcement action.

Paubox’s 2026 Healthcare Email Security Report states that the HHS received 170 email-related breach reports in 2025, affecting 2.5 million people. Phishing-based mailbox takeovers, which made up only 17% of email incidents, caused out-sized damage, exposing more than 630,000 patient records on their own.

 

The click rate problem clinical teams have not solved

Technical controls for email do not quite cover human behavior under operational pressure. More than 2.9 million simulated phishing emails were sent to employees at six U.S. health care institutions, with a median click rate of 16.7%, in a multicenter quality improvement study published in JAMA Network Open....almost 1 in 7 simulated emails sent were clicked on by employees,the researchers concluded, labeling the ratesa major cybersecurity risk for hospitals.Repeated phishing simulations were associated with a decline in click rates, but the effect was small over time.

Another study, this time published in the Journal of the American Medical Informatics Association, reinforced the challenge. Even mandatory phishing training programs targeted at high-risk employees, those who had clicked five or more simulated emails, did not substantially reduce click rates compared to the wider employee base. The study found that just 17.9% of the highest risk group clicked on zero phishing emails across 20 campaigns. Training reduces susceptibility; it does not eliminate it.

 

What the data shows about awareness without action

According to Paubox’s report on the topic, 92% of healthcare IT leaders reported confidence in their ability to prevent email breaches. 86% also said they were worried about their HIPAA compliance status. 56% of organizations reported spending less than 10% of their cybersecurity budget on email security.

Paubox's Healthcare Email Security Maturity Index 2026 found that 48% of organizations require encrypted email recipients to log into a portal or create an account to read messages. Among those, more than one in three reported that clinical staff bypass the workflow.

 

How the costs accumulate

Paubox’s Maturity Index, citing IBM’s 2025 Cost of a Data Breach Report, reports that healthcare data breaches cost an average of $7.42 million per incident, the highest of any industry tracked. Healthcare has been in that position for 14 years running.

 

Breach notification obligations

The Breach Notification Rule in HIPAA requires covered entities to notify affected individuals, HHS and in some cases, the media, within 60 days of the discovery of a breach affecting 500 or more individuals. The clock starts at the date of discovery, not the date an organization completes its forensic review. Those organizations that delay notification and engage in long investigations often exacerbate the original violation.

 

OCR investigation and corrective action

In April 2026, OCR settled four simultaneous ransomware cases, collectively involving $1,165,000 across four organizations, making it clear that the agency’s main focus during investigations is whether an organization had conducted an accurate, thorough, enterprise-wide security risk analysis prior to the breach. In all four cases that document was missing or deficient. The settlements called for two-year corrective action plans with monitored compliance obligations.

 

Underreporting compounds the detection problem

According to Paubox's 2025 Healthcare Email Security Report, employees report only 5% of known phishing attacks to security teams. The phishing email that leads to a breach is, in most cases, the one that was never flagged.

 

What Paubox addresses in this context

Paubox offers HIPAA compliant email security for covered entities and business associates, including outbound encryption that applies automatically to every email, closing the manual trigger gap in both the IT Survey and Maturity Index.

Paubox’s inbound security layer analyzes sender behavior, message intent, and indicators of compromise to intercept phishing attempts before they hit staff inboxes. It addresses the access-vector problem that phishing-based mailbox takeovers create.

The price of one bad email in healthcare includes every patient record accessible from that inbox, every vendor that had network access, every day the exposure went undetected, and every compliance requirement the organization holds from the time of discovery. The question for compliance and IT teams is whether the controls in place today are designed to stop the email from getting to a staff member or whether the plan is relying on that staff member to make the right decision under pressure.

 

FAQs

If an employee clicks on a phishing email, does that automatically become a HIPAA breach?

No. A click alone is not necessarily a HIPAA breach. A reportable breach occurs if protected health information is accessed, acquired, used, or disclosed in a way that is not permitted under HIPAA.

 

Why do mailbox takeover attacks cause so much damage?

A compromised mailbox often contains patient communications, appointment information, billing records, and contact details. Attackers can also impersonate trusted employees, making mailbox takeovers more difficult to detect and potentially expanding the scope of the incident.

 

How can healthcare organizations make secure email easier for employees?

The more security depends on staff remembering extra steps, the more likely those steps are to be bypassed.