Paubox Report Reveals Critical Gaps in Healthcare Email Security for 2025
Paubox, a leading provider of HIPAA-compliant email security, has released its 2026 Healthcare Email Security Report, analyzing 170 email-related breaches reported to the U.S. Department of Health and Human Services (HHS) in 2025. The findings highlight persistent vulnerabilities in healthcare email security, despite a slight decline in total breaches from 180 in 2024.
Key Findings:
- Credential theft was the most damaging attack vector, exposing over 630,000 patient records despite accounting for less than 20% of incidents.
- 74% of breached organizations lacked effective DMARC policies or used monitor-only mode, allowing spoofed emails to bypass security.
- Over half had permissive or missing SPF records, enabling unauthorized server deliveries.
- No breached organization enforced MTA-STS, a protocol that encrypts mail server connections to prevent interception.
- Microsoft 365 was the primary email platform for 53% of breached organizations, with many failing to properly configure built-in security tools.
Additional Risks Identified:
- 3 million email addresses may be exposed to man-in-the-middle attacks due to unvalidated or expired server certificates, as Paubox research found encrypted emails routinely delivered to unverified servers.
- 41% of breached organizations fell into the highest risk category for authentication and encryption settings, up from 31% in 2024.
The report underscores that while breach numbers decreased, security postures weakened, with none of the affected organizations meeting the lowest risk threshold. Paubox recommends automated encryption for all outbound emails and AI-powered inbound threat detection to mitigate risks. The full report is based on HHS breach disclosures from January to December 2025.
U.S. Department of Health and Human Services (HHS) cybersecurity rating report: https://www.rankiteo.com/company/hhsgov
"id": "HHS1772059552",
"linkid": "hhsgov",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '630,000+ patients',
'industry': 'Healthcare',
'location': 'United States',
'type': 'Healthcare Organizations'}],
'attack_vector': 'Credential Theft, Email Spoofing, Man-in-the-Middle Attacks',
'data_breach': {'data_encryption': 'Lack of MTA-STS enforcement led to '
'unencrypted mail server connections',
'number_of_records_exposed': '630,000+ (patient records), 3 '
'million (email addresses at '
'risk)',
'personally_identifiable_information': 'Yes (patient records)',
'sensitivity_of_data': 'High (healthcare data, personally '
'identifiable information)',
'type_of_data_compromised': 'Patient records, Email '
'addresses'},
'date_publicly_disclosed': '2026',
'description': 'Paubox released its 2026 Healthcare Email Security Report, '
'analyzing 170 email-related breaches reported to the U.S. '
'Department of Health and Human Services (HHS) in 2025. The '
'report highlights persistent vulnerabilities in healthcare '
'email security, including credential theft, weak DMARC/SPF '
'policies, and lack of MTA-STS enforcement. Over 630,000 '
'patient records were exposed due to credential theft, and 3 '
'million email addresses were at risk of man-in-the-middle '
'attacks.',
'impact': {'brand_reputation_impact': 'Likely significant due to healthcare '
'data exposure',
'data_compromised': '630,000+ patient records exposed via '
'credential theft; 3 million email addresses '
'at risk of interception',
'identity_theft_risk': 'High (patient records exposed)',
'systems_affected': 'Email systems, Microsoft 365 platforms'},
'investigation_status': 'Completed (Report Published)',
'lessons_learned': 'Healthcare organizations must enforce DMARC/SPF policies, '
'implement MTA-STS, validate server certificates, and '
'properly configure Microsoft 365 security tools to '
'prevent email-related breaches.',
'post_incident_analysis': {'corrective_actions': 'Enforce DMARC/SPF policies, '
'implement MTA-STS, validate '
'server certificates, '
'automate email encryption, '
'deploy AI-powered threat '
'detection',
'root_causes': 'Weak email security policies '
'(DMARC/SPF), lack of MTA-STS '
'enforcement, unvalidated server '
'certificates, misconfigured '
'Microsoft 365 security tools'},
'recommendations': 'Automate encryption for all outbound emails, deploy '
'AI-powered inbound threat detection, enforce DMARC/SPF '
'policies, and implement MTA-STS to mitigate risks.',
'references': [{'source': 'Paubox 2026 Healthcare Email Security Report'},
{'source': 'U.S. Department of Health and Human Services (HHS) '
'Breach Disclosures (2025)'}],
'regulatory_compliance': {'regulations_violated': 'HIPAA (likely)',
'regulatory_notifications': 'Reported to U.S. '
'Department of Health '
'and Human Services '
'(HHS)'},
'title': 'Paubox Report on Healthcare Email Security Gaps (2025)',
'type': 'Data Breach',
'vulnerability_exploited': 'Weak DMARC/SPF policies, Missing MTA-STS, '
'Unvalidated/Expired Server Certificates, '
'Misconfigured Microsoft 365 Security Tools'}