43% of Healthcare Email Breaches Tied to Microsoft 365—New Report Uncovers the Major Cybersecurity Gaps

SAN FRANCISCO--(BUSINESS WIRE)--A new report analyzing 180 healthcare email breaches from January 1, 2024, to January 31, 2025 reveals widespread cybersecurity issues and escalating regulatory penalties. Paubox’s 2025 Healthcare Email Security Report highlights how email remains the leading attack vector, resulting in financial penalties, compromised patient data, and increased enforcement actions from regulators.

Key Findings:

• 43.3% of breaches involved Microsoft 365, largely due to misconfigurations in email security settings.
• 264% increase in ransomware attacks on healthcare since 2018, with email serving as the primary attack method.
• Only 1.1% of analyzed healthcare organizations had a low-risk email security posture, highlighting systemic vulnerabilities.
• HIPAA fines exceeding $9 million were issued due to email security failures, including Solara Medical Supplies’ $9.76 million settlement.
• $9.8 million – The average cost per healthcare email breach, according to IBM.

Email security remains healthcare’s biggest weakness

Despite a 50% increase in healthcare cybersecurity spending since 2018, many healthcare organizations still fail to implement fundamental email security protocols. The report found that 98.9% of breached organizations lacked MTA-STS protections, exposing email communications to interception. Additionally, 37.2% of Microsoft 365 users had DMARC in ‘monitor-only’ mode, leaving phishing attempts undetected.

According to OCR Director Melanie Fontes Rainer, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.” The prevalence of email-related breaches in 2024 underscores this warning, as many healthcare organizations only realize their security gaps after a serious incident occurs.

Regulators are increasing enforcement

The HHS Office for Civil Rights (OCR) has intensified HIPAA enforcement, issuing record fines for email security failures and insufficient risk assessments. Recent high-profile cases include:

• Solara Medical Supplies - $9.76 million settlement due to a phishing-related breach affecting 114,000 patient records.
• L.A. Care - $1.3 million fine for systemic security lapses that led to a breach.

Get the full report

The 2025 Healthcare Email Security Report, created by Paubox and sourced from HHS Office for Civil Rights (OCR) breach data, provides an in-depth analysis of real-world breaches, industry trends, and actionable security recommendations to help healthcare IT leaders strengthen their defenses.

Request the full report before it’s publicly available.

For media inquiries, expert commentary, or interview requests, please contact Dawn Halpin at Paubox at press@paubox.com or 415-795-7396.

About Paubox

Paubox offers HIPAA compliant communication solutions that empower healthcare organizations of any size to simply and securely communicate. Our suite of solutions includes HIPAA compliant encrypted email, inbound email security, HIPAA compliant email marketing, and HIPAA compliant email API for transactional communications. Our customers love our HITRUST CSF certified solutions and we have industry-topping G2 ratings (4.9/5 stars). Learn more at paubox.com