Paubox

16% of email-related healthcare breaches in 2025 involved business associates.

Approximately 4.5% of outbound healthcare email connections were delivered to servers with expired or self-signed certificates.

Approximately 3 million email addresses in the healthcare sector may be at risk of exposure to cyberattacks due to unverified email delivery practices.

43.3% of healthcare email breaches involved Microsoft 365.

IT leaders estimate only 5% of known phishing attacks are reported by healthcare employees to their security teams.

There was a 264% increased surge of ransomware attacks on healthcare organizations.

Barracuda, Mimecast, and Proofpoint account for 26.7% of healthcare email breaches in 2024.

1.1% of healthcare organizations analyzed had a 'Low Risk' email security posture.

68.8% of healthcare organizations analyzed had a 'Medium Risk' email security posture.

31.1% of healthcare organizations analyzed had a 'High Risk' email security posture.

107 email-related HIPAA breaches were reported to the Department of Health and Human Services in just the first half of 2025.

The current pace of healthcare breaches in 2025 suggests the year is set to exceed 180 email breaches, which was the total reported last year.

In one enforcement case, a clinic was fined $25,000 for a single message that contained protected health information (PHI) and was sent to the wrong person without encryption

25% of healthcare organizations have not formally approved any staff use of AI in email.

94% of healthcare organizations have begun updating security policies to address generative AI threats in email.

69% of healthcare IT leaders feel pressured to adopt AI faster than they can secure it.

75% of healthcare organizations say AI has added confusion, not clarity, to email compliance.

58% of healthcare organizations have not signed a BAA for an AI email tool so far.

Only 16% of healthcare organizations have trained most of their staff (75-100%) who have access to PHI on AI usage in email.

62% of healthcare IT and compliance leaders have observed staff experimenting with ChatGPT or similar tools even though they’re unsanctioned.

21% of respondents from healthcare organizations believe a Business Associate Agreement (BAA) isn’t required for an AI email assistant.

95% of healthcare organizations report staff are already using AI tools.

83% of healthcare IT and compliance leaders have raised concerns about AI security.

16% of healthcare IT and compliance leaders admit compliance was never consulted before AI email tools were enabled.

41% of healthcare IT and compliance leaders feel confident they could detect improper AI use before a HIPAA violation occurs.

Only 42% of healthcare organizations have signed a Business Associate Agreement (BAA) covering any AI assistant used in email.

The largest single email breach, affecting United Seating and Mobility, exposed over half a million records.

More than 1.6 million patient records were compromised across all analysed email-related healthcare incidents that occurred in the first half of 2025.

Incidents involving Mimecast email customers accounted for 8% in healthcare.

Incidents involving Barracuda email customers accounted for 5% in healthcare.

79% of breached healthcare organizations have ineffective DMARC protection. This is up dramatically from 65% in 2024.

Incidents involving Proofpoint email customers accounted for 6% in healthcare.

Business associates (including billing vendors, imaging firms, and outsourced IT providers) were involved in 17 of the 107 email-related breaches in healthcare. This represents 16% of all incidents.

41% of healthcare organizations are now classified as high-risk. This compares to just 31% last year.

Cyberattacks are cited as the leading cause of critical workflow disruptions by 50% of healthcare organizations.

IT leaders estimate that only 5% of known phishing attacks in healthcare are actually reported by employees to security teams.

The sharp rise in Microsoft 365 email breaches in healthcare represents a 21% increase year-over-year.

The Episource breach affected 5.4 million individuals

81% of healthcare email breaches were classified as hacking or IT incidents.

Microsoft 365 environments now account for 52% of all healthcare email breaches. This represents a dramatic surge from 43% just one year ago.

The average healthcare email breach exposed nearly 16,000 individual records in the first half of 2025.

More than 80% of small healthcare practices expressed confidence in their current HIPAA compliance posture.

Nearly half of healthcare email breaches stem from Microsoft 365 alone.

In 2025, healthcare breaches took an average of 224 days to detect and another 84 days to contain—making it over 10 months total.

Vision Upright MRI faced a $5,000 fine plus two years of federal monitoring after a server breach exposed over 21,000 individuals' medical imaging records.

43% of small healthcare organisations reported experiencing a phishing or spoofing incident in the past year.

83% of small healthcare practices believe patient consent removes the need for encryption.

Solara Medical faced a $9.76 million class-action settlement following a phishing attack.

64% of small healthcare practices believe patient portals are required for HIPAA compliance.

20% of healthcare practices do not utilise any form of email archiving or audit trail.