A report by Paubox found that of 170 email-related healthcare breaches reported to the HHS, almost three quarters had no effective policy to stop spoofed emails from reaching employee inboxes. In addition, over half failed to verify whether incoming messages came from authorized senders.

The report analyzed 170 email-related breach incidents disclosed to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights between January and December 2025.

Researchers evaluated each breached organization’s publicly observable email settings, including three protocols that form the foundation of email authentication:

DMARC, which tells receiving servers how to handle messages that fail verification.

SPF, which confirms whether an email was sent from an authorized server.

MTA-STS, which requires encrypted connections between mail servers to prevent interception.

Among the organizations analyzed, 74% either lacked a DMARC policy entirely or had it set to monitor-only mode, which logs failed messages but does not block them. Over half used permissive or missing SPF records, meaning messages from unauthorized servers could still be delivered. Not a single breached organization enforced MTA-STS, which encrypts connections between mail servers.

According to the report, 53% of breached organizations used Microsoft 365 as their primary email platform, up from 43% in 2024. Among those, a third had DMARC in monitor-only mode, and nearly half used soft-fail SPF policies.

The total number of breached organizations dropped from 180 in 2024 to 170 in 2025. But the organizations that were breached had worse configurations on average. Forty-one percent fell into the highest risk category based on their authentication and encryption settings, up from 31% the year before. None fell into the lowest risk category, compared to 1% previously.

Download the report.