A new report analyzing 180 healthcare email breaches from January 1, 2024, to January 31, 2025 reveals widespread cybersecurity issues and escalating regulatory penalties. Paubox’s 2025 Healthcare Email Security Report highlights how email remains the leading attack vector, resulting in financial penalties, compromised patient data, and increased enforcement actions from regulators.

Key Findings:

• 43.3% of breaches involved Microsoft 365.
• Barracuda, Proofpoint and Mimecast accounted for 26.7% of breaches
• 264% increase in ransomware attacks on healthcare since 2018.
• Only 1.1% of analyzed healthcare organizations had a low-risk email security posture, highlighting systemic vulnerabilities.
• HIPAA fines exceeding $9 million were issued due to email security failures, including Solara Medical Supplies’ $9.76 million settlement.
• $9.8 million – The average cost per healthcare email breach, according to IBM.

Email security remains healthcare’s biggest weakness

Despite a 50% increase in healthcare cybersecurity spending since 2018, many healthcare organizations still fail to implement fundamental email security protocols. 37.2% of Microsoft 365 users had DMARC in ‘monitor-only’ mode, leaving phishing attempts undetected. According to a Paubox survey, “only 27% of IT leaders feel confident about avoiding a breach in 2025.”

According to OCR Director Melanie Fontes Rainer, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.” The prevalence of email-related breaches in 2024 underscores this warning, as many healthcare organizations only realize their security gaps after a serious incident occurs.

Regulators are increasing enforcement

The HHS Office for Civil Rights (OCR) has intensified HIPAA enforcement, issuing record fines for email security failures and insufficient risk assessments. Recent high-profile cases include:

• Solara Medical Supplies - $9.76 million settlement due to a phishing-related breach affecting 114,000 patient records.
• L.A. Care - $1.3 million fine for systemic security lapses that led to a breach.

Get the full report

The 2025 Healthcare Email Security Report, created by Paubox and sourced from HHS Office for Civil Rights (OCR) breach data, provides an in-depth analysis of real-world breaches, industry trends, and actionable security recommendations to help healthcare IT leaders strengthen their defenses.

Access the report here: https://hubs.la/Q03c8Npb0

For media inquiries, expert commentary, or interview requests, please contact Dawn Halpin at Paubox at press@paubox.com or 415-795-7396.

About Paubox

Paubox offers HIPAA compliant communication solutions that empower healthcare organizations of any size to simply and securely communicate. Our suite of solutions includes HIPAA compliant encrypted email, inbound email security, HIPAA compliant email marketing, and HIPAA compliant email API for transactional communications. Our customers love our HITRUST certified solutions and we have industry-topping G2 ratings (4.9/5 stars). Learn more at paubox.com

View source version on businesswire.com: https://www.businesswire.com/news/home/20250317998580/en/

Key Findings: - 43.3% of breaches involved Microsoft 365 - Barracuda, Proofpoint and Mimecast accounted for 26.7% of breaches