Paubox blog: HIPAA compliant email - easy setup, no portals or passcodes

Why 95% of phishing attacks in healthcare go unreported

Written by Dawn Halpin | July 01, 2025

We know that phishing is one of the most persistent threats in healthcare. What’s less discussed—and far more dangerous—is what happens after an attack.

Most healthcare phishing attacks go unreported.
In fact, up to 95% of them never make it into formal incident reports or breach disclosures. That statistic isn’t just alarming—it’s an indicator of how much visibility the industry still lacks into one of its most common threat vectors.

In our latest article published on TechRadar, we dig into the reasons behind the silence:

  • Confusion around what counts as a reportable breach

  • A lack of tools to verify whether PHI was accessed

  • Fear of regulatory scrutiny, especially for smaller organizations

  • The false sense of security that email filters alone are enough

When phishing attacks go unreported, everyone loses:

  • IT leaders can’t benchmark real risk levels

  • Security teams can’t improve their response tactics

  • Regulators don’t see the full scope of the problem

  • Patients don’t know when their data may have been compromised

Cultural and reputational pressure

The fear of triggering a regulatory inquiry or hitting the headlines is enough to make some organizations sweep lower-impact phishing incidents under the rug. Combine that with internal misalignment between compliance, legal, and IT, and you have the perfect recipe for underreporting.

Why this matters now

In our 2025 report Healthcare IT is dangerously overconfident about email security, we found a troubling contradiction:

  • 92% of healthcare IT leaders feel confident in their ability to prevent email-based threats.

  • But 86% also admit they’re worried about their HIPAA compliance status.

This is the very gap the TechRadar article explores; where perceived security doesn’t match operational readiness or post-attack action.

The takeaway: silence is not safety.

When phishing attacks go unreported, it weakens the entire ecosystem. Organizations lose visibility into real-world threat trends. Vendors don’t get feedback loops to improve detection. Ultimately, patients are left more vulnerable.

Read the full TechRadar article:
Why 95% of phishing attacks go unreported in healthcare
View full post