A new report analyzing 180 healthcare email breaches from January 1, 2024, to January 31, 2025 reveals widespread cybersecurity issues and escalating regulatory penalties. Paubox’s 2025 Healthcare Email Security Report highlights how email remains the leading attack vector, resulting in financial penalties, compromised patient data, and increased enforcement actions from regulators. 

Key findings include: 

• 43.3% of breaches involved Microsoft 365, largely due to misconfigurations in email security settings. 
• 264% increase in ransomware attacks on healthcare since 2018, with email serving as the primary attack method. 
• Only 1.1% of analyzed healthcare organizations had a low-risk email security posture, highlighting systemic vulnerabilities. 
• HIPAA fines exceeding $9 million were issued due to email security failures, including Solara Medical Supplies’ $9.76 million settlement. 
• $9.8 million — The average cost per healthcare email breach, according to IBM. 

Despite a 50% increase in healthcare cybersecurity spending since 2018, many healthcare organizations still fail to implement fundamental email security protocols. The report found that 98.9% of breached organizations lacked MTA-STS protections, exposing email communications to interception. Additionally, 37.2% of Microsoft 365 users had DMARC in ‘monitor-only’ mode, leaving phishing attempts undetected. 

Download the report.