What the 2025 Paubox security report reveals about industry risks

As essential as email is as a communication tool in the healthcare industry, it also poses a threat to the safety and privacy of healthcare data. The Paubox report states that between the start of 2024 and January 2025, an alarming 180 healthcare organizations reported email-related security breaches to the HHS Office for Civil Rights (OCR). This isn't just a number – it signifies disruptions to care, compromised patient trust, and immense financial strain on organizations striving to heal.

According to the IBM 2024 cost of a data breach report, HHS Deputy Secretary Andrea Palm warns, "The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety. These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures." Finally, the financial toll is staggering, with IBM Security reporting that “the average cost of a healthcare data breach reached $9.77 million in 2024, reflecting not only direct remediation costs but also lost business, regulatory fines, and reputational damage.”

Learn more: 2025 Healthcare Email Security Report

Key findings

Beyond the raw numbers, the Paubox report reveals several concerning patterns that help explain why healthcare email security continues to be compromised despite increased investments.

The report categorized breached organizations by their security posture, with 31.1% classified as High Risk (multiple critical security gaps), 67.8% as Medium Risk (partial but inadequate security measures), and only 1.1% maintaining Low Risk status with comprehensive protections in place.

This aligns with findings from a 2024 study published in Digital Health, which found that "technical threats increase the likelihood of security breach of DHTs (Digital Health Technologies)," with healthcare professionals strongly agreeing with this statement at a mean score of 4.04 out of 5 on their assessment scale. The study revealed that technical threats posed a 75.83% chance of causing security breaches in healthcare systems, significantly higher than physical threats. The study also concluded that despite increased cybersecurity spending, healthcare organizations continue to struggle with basic security implementations.

What's particularly concerning is the false sense of security that pervades the industry. Many organizations operate under the dangerous assumption that purchasing premium security licenses automatically provides protection. The report found that 24.4% of breached Microsoft 365 users were classified as High Risk despite paying for premium E5 security licenses.

How breaches happen

The report identifies several primary attack methods that cybercriminals use to compromise healthcare email systems, but understanding the psychology behind these attacks helps explain their effectiveness.

Phishing attacks remain the most pervasive threat, with cybercriminals sending deceptive emails impersonating legitimate sources. The 2024 study above found that phishing attacks were among the top three technical threats with the highest chance of affecting healthcare systems, and a Paubox study revealed that only 5% of known phishing attacks are reported by employees, creating dangerous blind spots in organizational defenses.

This creates a dangerous feedback loop: security teams remain unaware of ongoing attacks, employees assume someone else has reported suspicious emails, and attackers continue to refine their techniques undetected.

Spoofing & impersonation tactics have evolved significantly in recent years. Beyond simple display name spoofing, attackers now employ sophisticated techniques that can bypass basic authentication methods. According to a paper about security vulnerabilities in healthcare, critical vulnerabilities in healthcare are highly influenced by "improper management of credentials (user/password), authentication, or incorrect privilege management," which allows attackers to bypass authentication and communicate with external devices or systems.

Credential theft exploits one of our most common human weaknesses—password reuse. Despite years of security awareness training, password hygiene remains problematic across healthcare. The Warby Parker breach, which compromised nearly 200,000 patients' data through credential stuffing attacks, demonstrates how devastating this approach can be.

Research by Mejía-Granda et al. identified "hard-coded credentials" as one of the most critical vulnerabilities in healthcare systems, allowing attackers to bypass authentication and gain unauthorized access. Their study found that these vulnerabilities were particularly dangerous because they affected devices and software related to medical support and patient life care.

Why breaches happen

The technical findings in the Paubox report reveal that most breaches stem from basic security misconfigurations that should be standard practice in any healthcare organization.

The SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) issues identified (12.2% lacking SPF records, 40% with weak configurations, 30.6% lacking DMARC, 34.4% with ineffective monitor-only mode) point to fundamental gaps in email authentication. These aren't advanced security measures—they're baseline protections that have been industry standards for years.

What's problematic about these findings is that implementing proper SPF and DMARC configurations is relatively straightforward and low-cost compared to the potential damage of a breach. The 2024 research study found that encryption was rated by healthcare professionals as the most feasible remedy to security threats, with a mean score of 4.36 out of 5, followed by regular security training (4.20) and sufficient security measures (4.22).

The Microsoft 365 paradox deserves special attention. Despite its widespread adoption, many healthcare organizations fail to configure its security features properly. This reflects a broader issue in healthcare IT; the assumption that default configurations are sufficient for compliance and security.

Go deeper: What are Internet of Things (IoT) attacks?

Impact beyond dollars

While the financial figures are staggering – $9.77 million average breach cost, 3 million OCR settlements, $9.76 million class action settlements – they fail to capture the full impact of healthcare email breaches.

The Solara Medical Supplies case illustrates the very human consequences. Beyond the financial penalties, the organization faced:

• Operational disruption during investigation and remediation
• Mandatory reporting to affected patients
• Media coverage and public scrutiny
• Damaged relationships with healthcare partners
• Ongoing monitoring and compliance requirements

Perhaps most significantly, these breaches erode the trust that forms the foundation of healthcare. As OCR Director Melanie Fontes Rainer emphasized, "Patients must be able to trust that sensitive, health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need."

Research by Mejía-Granda et al. stresses that security breaches in healthcare can have severe consequences for patient safety, not just data privacy. Their study found that vulnerabilities in medical devices like infusion pumps, cardiac monitors, and medication delivery systems could potentially compromise patient health directly. As they note, "Corrupt data, arbitrary code execution, system crash/stoppage due to out-of-confines writing, or improper restriction of operations inside the bounds of a memory buffer are additional effects of the vulnerabilities examined in this study."

The path forward

The Paubox report shows that many current approaches to healthcare email security are insufficient. Moving forward requires a fundamental shift in how organizations approach this aspect of operations.

First, healthcare organizations must move beyond the compliance checkbox mentality. As security researcher Bruce Schneier has noted, "Security is not a product, but a process." Implementing email security tools is only the beginning—continuous monitoring, testing, and improvement are required.

Second, the human element cannot be overlooked. While technical controls like those offered by Paubox are helpful, they must be complemented by security awareness training. The 2024 research found that regular security training for staff was rated as one of the most feasible remedies to security threats, with a mean score of 4.20 out of 5 among healthcare professionals.

Third, healthcare organizations should adopt a defense-in-depth approach to email security. The Paubox report's key takeaway—"Organizations need to layer solutions like Paubox on top of email providers like Microsoft 365 to maintain compliance"—reflects this principle. Mejía-Granda recommends "securing communication channels and network schema, medical devices, and technological equipment" as necessary for healthcare sector security.

FAQs

What is SPF in email security?

SPF is an email authentication method designed to detect forged sender addresses during the delivery of the email. It allows the receiver to check that incoming mail from a domain comes from a host authorized by that domain's administrators.

What is DMARC in email security?

DMARC is an email authentication protocol that builds on SPF and DKIM (DomainKeys Identified Mail) to prevent email spoofing. It allows domain owners to specify which authentication mechanisms they use and what receiving mail servers should do with messages that fail authentication.

What is DKIM? 

DKIM is a method of email authentication that helps prevent spammers and other malicious parties from impersonating a legitimate domain.

What is display name spoofing?

Display name spoofing is when attackers create emails that appear to come from someone you know or trust by changing the display name in the "From" field. The email address itself may be completely different, but many email clients prominently show only the display name, making this a particularly effective technique.