What small healthcare practices get wrong about HIPAA and email security

More than 80% of small healthcare practices expressed confidence in their current HIPAA compliance posture.

Nearly half of healthcare email breaches stem from Microsoft 365 alone.

In 2025, healthcare breaches took an average of 224 days to detect and another 84 days to contain—making it over 10 months total.

Vision Upright MRI faced a $5,000 fine plus two years of federal monitoring after a server breach exposed over 21,000 individuals' medical imaging records.

43% of small healthcare organisations reported experiencing a phishing or spoofing incident in the past year.

83% of small healthcare practices believe patient consent removes the need for encryption.

Solara Medical faced a $9.76 million class-action settlement following a phishing attack.

64% of small healthcare practices believe patient portals are required for HIPAA compliance.

20% of healthcare practices do not utilise any form of email archiving or audit trail.

98% of small healthcare organisations falsely believe they are HIPAA compliant.

Over 90% of U.S. healthcare providers operate as small organisations.

"Small" violations can cost healthcare practices anywhere from $25,000 to $9.76 million per incident.

Phishing attacks now account for over 70% of healthcare data breaches as of 2024.

About 50% of small healthcare organisations lack anti-phishing controls beyond default spam filters.

Nearly 99% of small healthcare organisations have not implemented secure email transfer protocols.

98% of small healthcare practices claim their platforms "encrypt emails by default".

Sunrise Community Health experienced an email compromise affecting 54,000+ patients.

Only half of small healthcare practices have phishing or spoofing protection enabled.

The average small healthcare employee has access to more than 5,500 sensitive files.

Salud Family Health had a phishing attack exposing 80,000+ records.

One-third of small healthcare practices report not having enough time for compliance tasks.

One-third of small healthcare practices have no clear policies or procedures in place.

Agape Health paid $25,000 for emailing protected health information unencrypted.