For the first time in 19 years of the Verizon report, patching delays have given attackers a more reliable entry point into organizations than credential theft, with healthcare tracking closely with global breach patterns but facing additional pressure from insider errors and misdelivery incidents.
What happened
Verizon has published its 2026 Data Breach Investigations Report, based on analysis of more than 31,000 security incidents and 22,000 confirmed data breaches from November 2024 through October 2025. According to SecurityWeek, exploitation of vulnerabilities now accounts for 31% of all initial breach access vectors, overtaking stolen credentials for the first time in the report's 19-year history. Ransomware was involved in 48% of all confirmed breaches, up from 44% the previous year. The proportion of victims paying ransoms continues to fall, with 69% of victims declining to pay and the median ransom payment dropping from $150,000 to $139,875. Third-party involvement in breaches rose 60% year over year. In healthcare specifically, Verizon tracked 1,492 incidents and 1,438 confirmed data disclosures, with exploitation of vulnerabilities accounting for 20% of healthcare breach entry points, phishing 14%, stolen credentials 11%, and employee error 11%.
Going deeper
The shift from credentials to vulnerabilities as the leading entry point is directly tied to AI-accelerated exploitation. According to Help Net Security, Verizon found that only 26% of critical vulnerabilities were fully remediated in 2025, with a median remediation time of 43 days. Meanwhile, the window between vulnerability disclosure and active exploitation has compressed from months to hours. Shadow AI emerged as the third most common non-malicious insider action in Verizon's data loss prevention dataset, a fourfold increase from the previous year. Healthcare faces a compounding problem: the human element was involved in 54% of healthcare incidents, with misdelivery, sending data to the wrong recipient, accounting for approximately 40% of human-related incidents, followed by loss of unencrypted devices at 25% and misconfigurations at 20%. Internal actors accounted for 19% of healthcare breaches. Around 32% of healthcare data breaches involved third parties.
What was said
Daniel Lawson, SVP Global Solutions at Verizon Business, stated in the Verizon press release: "While the velocity of cyber threats driven by AI and faster vulnerability exploitation is increasing, the foundational principles of security and strong risk management remain the most effective defense. The DBIR reinforces that these fundamentals still hold as organizations strive for resilience." Verizon also noted in the report that mobile-centric social engineering through smishing and vishing carries a 40% higher success rate than traditional email phishing. It warned that GenAI tools are now being used by attackers at multiple stages, including target selection, vulnerability research, malware development, and network infiltration.
In the know
The 2026 DBIR's finding that the exploitation of vulnerabilities has overtaken credential exploitation is consistent with observations from multiple sources this year. Infostealers are increasingly serving as a pipeline for ransomware attacks: Verizon found that half of ransomware victims with a prior credential leak experienced an attack within 95 days of the leak, suggesting stolen credentials often feed into exploitation rather than being replaced. According to Help Net Security, Verizon's 2026 report also includes original research conducted with Anthropic that examines how AI is used across the attack chain, marking the first DBIR edition to assess AI's measurable impact on real-world breach patterns formally.
The big picture
For healthcare organizations, the 2026 DBIR delivers two distinct risk profiles that require separate responses. 81% of breaches driven by external actors, such as ransomware, vulnerability exploitation, phishing, and credential theft, require investment in patching velocity, network monitoring, and email security. The 19% attributable to internal actors and human error requires a different approach: workflow controls to prevent misdelivery, mandatory encryption for portable devices, and configuration management to catch errors before data leaves the environment. Paubox's 2026 Healthcare Email Security Report found that 74% of breached healthcare organizations in 2025 had missing or unenforced DMARC, and that only 5% of known phishing attacks are reported by employees to security teams. The DBIR's finding that phishing still accounts for 14% of healthcare breach entry points, combined with the documented underreporting, suggests the actual phishing-driven breach rate in healthcare is higher than reported figures indicate.
FAQs
Why has vulnerability exploitation overtaken stolen credentials for the first time?
AI tools allow attackers to scan for, identify, and exploit known vulnerabilities faster than organizations can patch them. With the exploitation window shrinking from months to hours, and only 26% of critical vulnerabilities fully remediated in 2025, unpatched systems are now a more reliable entry point than credentials, which require additional steps to obtain and use effectively.
What does the fact that misdelivery is the top human-related healthcare breach cause mean in practice?
Misdelivery means sending an email, fax, or document to the wrong recipient. In healthcare, where clinical communications frequently contain PHI, a single misdirected message is a reportable breach under HIPAA. The 40% share of human-related incidents attributed to misdelivery shows how routine the behavior is and how rarely it is caught before transmission.
Why are ransom payments declining even as ransomware frequency increases?
More organizations have invested in backup and recovery capabilities that enable them to restore systems without incurring costs. The proportion of victims paying has fallen to 31% globally. However, the combination of data exfiltration and encryption means declining to pay does not eliminate breach consequences; it only addresses the encryption component.
What is the infostealer-to-ransomware pipeline Verizon documented?
Infostealers harvest credentials from infected devices and sell them to initial access brokers, who sell network access to ransomware affiliates. Verizon found that half of ransomware victims with a prior credential leak experienced an attack within 95 days of the leak, confirming that stolen credentials circulating in underground markets are being converted into ransomware access within weeks.
How should healthcare organizations respond to the 60% increase in third-party breaches?
Verizon recommends baking security requirements into vendor contracts, requiring evidence of security controls, and conducting regular oversight rather than relying on one-time assessments. The proposed HIPAA Security Rule update includes mandatory annual written verification from business associates that their technical controls are in place. The requirement directly addresses the third-party gap that the DBIR has documented growing year over year.
Mara Ellis : June 2, 2026
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
