Credential Theft Drives Most Damaging Healthcare Email Breaches Going Into 2026
Credential Theft Drives Most Damaging Healthcare Email Breaches Going Into 2026
New analysis reveals mailbox takeovers exposed over half a million patients despite accounting for just 17% of incidents
SAN FRANCISCO--(BUSINESS WIRE)--Stolen login credentials led to the most damaging email-related healthcare breaches in 2025, exposing more than 630,000 patient records even though these attacks represented less than one-fifth of total email incidents, according to new research from Paubox.
"When messages arrive through channels and platforms recipients already trust, identity abuse becomes harder to detect and easier to scale," according to the report.
Share
The healthcare email security company analyzed breach data reported to the U.S. Department of Health and Human Services throughout 2025 and identified three dominant email attack patterns responsible for 170 breaches affecting 2.5 million individuals.
While phishing-driven mailbox takeovers accounted for approximately 17% of email breaches, they caused disproportionate harm. Once attackers obtained valid credentials through phishing emails, they logged into employee accounts as legitimate users and remained undetected while searching historical messages for protected health information (PHI).
"These breaches succeed because email security assumes users will recognize deception," the report states. "Once credentials are compromised, downstream controls often fail to recognize the account as compromised."
Vendor and business associate email exposure was the most frequent breach pattern, responsible for nearly one third of all email incidents, with these incidents typically exposing PHI from multiple organizations simultaneously.
Executive and vendor impersonation emerged as the third major attack vector. Attackers spoof trusted individuals—executives, known vendors, or internal staff—to trick recipients into voluntarily disclosing sensitive information. Recent attacks have evolved beyond traditional phishing to abuse trusted platforms including healthcare direct secure messaging systems and Google-hosted services.
"When messages arrive through channels and platforms recipients already trust, identity abuse becomes harder to detect and easier to scale," according to the report.
Healthcare data breaches continue to carry the highest average cost across all industries at $7.4 million per incident, according to IBM Security. Breaches involving third-party vendors average $4.9 million per incident.
Healthcare workflows amplify email security risks. Urgent requests and vendor communication are routine, making it difficult for staff to distinguish legitimate requests from sophisticated impersonation attempts.
Paubox concludes that "as long as phishing reaches inboxes, mailbox takeover will continue" and asserts that "email-layer prevention is foundational, not optional." Organizations must move beyond user awareness training and implement email-layer security that detects and blocks phishing, impersonation, and spoofed identities before messages reach inboxes.
The full report, "The Top 3 Healthcare Email Attacks in 2025 and How to Defend Against Them," is available at https://hubs.la/Q041ybdZ0.
About Paubox
Paubox is a leader in HIPAA compliant email security for healthcare. Trusted by more than 8,000 organizations, including Cost Plus Drugs, Rippling, and Covenant Health, Paubox works with your existing platform to secure every email sent and received. Paubox is rated #1 on G2 and is recognized on G2’s 2025 Best Healthcare Software Products list. Paubox offers HIPAA compliant email encryption, AI-powered inbound email security, archiving, data loss prevention, a secure email API for transactional messaging, forms, and email marketing.
Contacts
Media Contact:
Dawn Halpin
press@paubox.com
