A new report analyzing 180 healthcare email breaches from January 1, 2024, to January 31, 2025 reveals widespread cybersecurity issues and escalating regulatory penalties. Paubox’s 2025 Healthcare Email Security Report highlights how email remains the leading attack vector, resulting in financial penalties, compromised patient data, and increased enforcement actions from regulators.
Cyber Technology Insights: Latest IT & Cybersecurity Innovations on Advancements
“HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”
Key Findings:
- 43.3% of breaches involved Microsoft 365, largely due to misconfigurations in email security settings.
- 264% increase in ransomware attacks on healthcare since 2018, with email serving as the primary attack method.
- Only 1.1% of analyzed healthcare organizations had a low-risk email security posture, highlighting systemic vulnerabilities.
- HIPAA fines exceeding $9 million were issued due to email security failures, including Solara Medical Supplies’ $9.76 million settlement.
- $9.8 million – The average cost per healthcare email breach, according to IBM.
Email security remains healthcare’s biggest weakness
Despite a 50% increase in healthcare cybersecurity spending since 2018, many healthcare organizations still fail to implement fundamental email security protocols. The report found that 98.9% of breached organizations lacked MTA-STS protections, exposing email communications to interception. Additionally, 37.2% of Microsoft 365 users had DMARC in ‘monitor-only’ mode, leaving phishing attempts undetected.
According to OCR Director Melanie Fontes Rainer, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.” The prevalence of email-related breaches in 2024 underscores this warning, as many healthcare organizations only realize their security gaps after a serious incident occurs.
Regulators are increasing enforcement
The HHS Office for Civil Rights (OCR) has intensified HIPAA enforcement, issuing record fines for email security failures and insufficient risk assessments. Recent high-profile cases include:
- Solara Medical Supplies – $9.76 million settlement due to a phishing-related breach affecting 114,000 patient records.
- L.A. Care – $1.3 million fine for systemic security lapses that led to a breach.
Cyber Technology Insights: Corero Network Security Speeds Up AI Integration
To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com
Source – Prnewswire
