Cover-Up Culture? 95% of Phishing Attacks Go Unreported in Healthcare, New Paubox Report Reveals

SAN FRANCISCO--(BUSINESS WIRE)--Your personal health information is under attack—and healthcare providers may not even know it. A new Paubox report exposes a shocking reality: 95% of phishing attacks in healthcare go unreported to security teams. Not flagged. Not investigated. Just ignored.

“Healthcare doesn’t need more patchwork fixes—it needs a mindset shift. Patients expect secure, convenient communication, and it’s on us to meet that standard.” - Hoala Greevy, CEO of Paubox

Share

Email is still the number one way cybercriminals get inside healthcare systems. Last year, 60% of healthcare organizations experienced an email-related security incident, yet most attacks go unreported. This means patient records—including yours—could be accessed without anyone sounding the alarm.

So what? If phishing attacks go unreported, they don’t trigger an investigation. If they aren’t investigated, systems aren’t patched, staff aren’t alerted, and patients aren’t warned. Your data could be in a hacker’s hands right now—and your provider wouldn’t even know.

The data no one wants to talk about:

• 95% of phishing attacks go unreported in healthcare.
• 60% of healthcare IT leaders admit their organizations experienced email security breaches last year.
• 90% of organizations conduct employee training—so the problem isn’t ignorance. It’s a broken system built to miss what matters.

“It is important for healthcare institutions and payer organizations to understand that the weakest security link in an organization is the human element,” said Amy Larson DeCarlo, Principal Analyst at GlobalData. “End users are vulnerable to anything that either promises to make a task easier or offers them some kind of reward for clicking on a link.”

This isn’t just a gap in reporting. It’s a systemic breakdown in visibility, accountability, and preparedness. Healthcare orgs are investing in training, but without clear reporting mechanisms and automated threat detection, they’re playing a game of whack-a-mole—with their eyes closed.

Matt Murren, CEO of True North ITG, has seen the consequences firsthand. “We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach,” he said. “The phishing attack compromised user credentials and eventually deployed ransomware across the network. It shut systems down for two weeks. Appointments were delayed. Test results were inaccessible. Urgent care cases were diverted elsewhere. Patients lost trust. This isn’t just an IT failure—it’s a patient safety crisis.”

David Chou, Founder of Chou Group Healthcare Technology Advisory Services, adds: “Healthcare organizations must move to modern, cloud-hosted email systems as a baseline for security. Equally important is ongoing education to protect staff from phishing and social engineering, which continue to be the most effective tactics used by attackers.”

The reality is, a phishing email today doesn’t need to be clever—it just needs to go unreported. And most do. For now, healthcare organizations are flying blind—and patients are the collateral damage.

Hoala Greevy, CEO of Paubox, states: “Healthcare doesn’t need more patchwork fixes—it needs a mindset shift. Patients expect secure, convenient communication, and it’s on us to meet that standard. With AI, automation, and built-in encryption, we can proactively defend patient data before threats ever hit the inbox. That’s exactly what we built ExecProtect+ to do—eliminate risk at the source, not after the damage is done.”

The 2025 Paubox It Survey Report offers an unfiltered look at the state of email security in healthcare—and what needs to change.

Download the full report here: https://hubs.la/Q03hcR7X0

For media inquiries, expert commentary, or interview requests, please contact Dawn Halpin at Paubox at press@paubox.com or 415-795-7396.

About Paubox

Paubox offers HIPAA compliant communication solutions that empower healthcare organizations of any size to simply and securely communicate. Our suite of solutions includes HIPAA compliant encrypted email, inbound email security, HIPAA compliant email marketing, and HIPAA compliant email API for transactional communications. Our customers love our HITRUST certified solutions and we have industry-topping G2 ratings (4.9/5 stars). Learn more at paubox.com