In 2025, the U.S. Department of Health and Human Services (HHS) reported 170 healthcare email breaches affecting over 2.5 million individuals. Ongoing challenges in securing protected health information (PHI) shared via email persist.
Healthcare executives responsible for risk management and compliance should understand the causes of these breaches. This article summarizes recent data on email breaches and outlines strategies to reduce exposure.
Main causes of email breaches in healthcare
Healthcare mail breaches in 2025 fell into three main categories:
Mailbox takeover through credential theft
Credential theft often results from phishing campaigns that compromise user accounts. Accessed mailboxes expose sensitive information and enable further attacks. Phishing-driven mailbox takeovers caused about 17% of email breaches and affected over 630,000 people—the largest impact by the number of individuals.
Executive and vendor impersonation
Impersonation attacks, such as business email compromise (BEC), exploit trusted identities like executives or vendors. These attacks rely on deception rather than malware, making them difficult to detect. Impersonation accounts for a significant portion of breaches.
Third-party and vendor email exposure
Exposures involving third parties and vendors were the most frequent type, representing 28% of email incidents in 2025. These breaches arose from insufficient technical safeguards when sharing PHI with external organizations.
Challenges in protecting healthcare email
Several factors contribute to persistent email security risks:
-
High dependence on user awareness and judgment leads to process gaps and human error
-
Phishing emails often bypass detection and enter inboxes
-
Spoofing and lookalike domains complicate identification of impersonation
-
Business associate agreements (BAAs) are more common than technical controls for email security
-
Inconsistent use of encryption and limited visibility into PHI handling after email delivery
Email’s role as a trusted communication channel increases the risk of identity misuse and scales the potential for breaches.
Reducing email breach risk with technical controls
Data indicates that preventing phishing and impersonation before emails reach users is essential. Email-layer protection is foundational to reducing breach risk.
Recommended technical controls include:
-
Blocking phishing emails upstream with advanced filtering and behavioral analysis
-
Applying enhanced protections for high-risk users such as executives and administrators targeted by impersonation
-
Enforcing encryption at the point of sending, regardless of recipient settings, to retain control over PHI security
Controlling PHI protection on the sender’s side reduces dependence on vendor or third-party security after delivery.
Next steps for healthcare organizations
Healthcare executives can strengthen email security by:
-
Evaluating current email security posture with emphasis on prevention at the gateway
-
Adopting tools that detect and block impersonation and credential theft attempts early
-
Enforcing encryption on all emails containing PHI at the time of sending
-
Increasing visibility into PHI flow through email systems, especially involving third parties
Email-related breaches represent a significant source of healthcare data exposure. Addressing technical gaps and limiting reliance on user vigilance can help reduce this risk.
Read the full report The top 3 healthcare email attacks in 2025 and how to defend against them for detailed insights and practical strategies, or talk to our team about security questions.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
