Our latest research, compiled in the 2025 Healthcare Email Security Report takes an in-depth look at how healthcare organizations are managing email security and the critical gaps that leave patient data vulnerable. This report analyzes OCR data from 180 healthcare email breaches over the past year, revealing key trends, missteps, and urgent areas for improvement.
Microsoft 365 is the dominant email provider in the healthcare industry, yet our latest analysis found that 43.3% of healthcare email breaches occurred on this platform. While Microsoft offers advanced security tools, many healthcare organizations still fail to configure them properly, leaving email systems vulnerable to phishing attacks, ransomware, and credential theft.
Relying on household names like Microsoft 365 has created a false sense of security, where organizations assume they are protected when in reality, they are still exposed to significant risks.
Key findings from the 2025 report
78 out of 180 healthcare breaches (43.3%) analyzed were linked to Microsoft 365.
37.2% of breached organizations using Microsoft 365 had DMARC in 'monitor-only' mode, allowing phishing emails to reach inboxes unchecked.
24.4% of Microsoft 365 users were classified as high risk, despite investing in premium security solutions.
Why Microsoft 365 is a prime target for cybercriminals
Microsoft 365 is widely adopted across healthcare organizations, making it a high-value target for cybercriminals. The platform itself is not inherently insecure, but many IT teams fail to properly configure security settings, enforce authentication protocols, and actively monitor threats. Here’s where organizations are going wrong:
Failure to enforce email authentication policies – DMARC, SPF, and DKIM settings are often left misconfigured or set to ‘monitor-only,’ meaning phishing emails can still reach users.
Inadequate monitoring of security logs – Many healthcare IT teams are not proactively reviewing security logs for suspicious activity, leaving gaps for attackers to exploit.
Over-reliance on Microsoft’s built-in protections – While Microsoft 365 offers advanced security solutions, organizations cannot solely rely on these tools.
The consequences of lax security
Healthcare organizations cannot afford to phone in their email security. Email is still the number one attack vector for healthcare breaches, and organizations that fail to act risk massive HIPAA fines, reputational damage, and operational disruption due to ransomware attacks.
“The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety,” said HHS Deputy Secretary Andrea Palm. “These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures.” With ransomware incidents increasing 264% since 2018, email security must be a top priority.
How to strengthen email security in healthcare
To mitigate the risks associated with Microsoft 365 and other common email service providers, healthcare organizations must take proactive steps to strengthen their email security:
Enforce DMARC, SPF, and DKIM policies – Ensure DMARC is set to “reject” rather than “monitor-only.”
Enable inbound security – Utilize inbound security measures like Paubox's ExecProtect+ to filter out phishing emails and malicious attachments.
Invest in continuous monitoring and threat detection – IT teams should actively track suspicious login attempts, unauthorized access, and phishing campaigns.
Failing to properly implement and monitor security procedures is where organizations are getting themselves into hot water. Healthcare organizations must stop assuming that premium security solutions automatically mean strong protection. Proper assessment, implementation, and enforcement of security measures are the only ways to prevent breaches.
