Healthcare Email Security in Crisis: Microsoft 365 Breaches Expose Patient Data

A shocking 43% of healthcare email breaches originate from Microsoft 365, according to Paubox’s 2025 Healthcare Email Security Report. Misconfigured security settings are the primary culprit, leaving sensitive patient data vulnerable to interception and phishing attacks. The report highlights that nearly all breached organizations lacked essential protections like Mail Transfer Agent Strict Transport Security (MTA-STS), while 30% had no Domain-based Message Authentication, Reporting, and Conformance (DMARC) records at all.

These gaps make it alarmingly easy for attackers to spoof emails and infiltrate systems. The consequences are dire. Ransomware attacks on healthcare organizations have skyrocketed by 264% since 2018, with email serving as the main attack vector. Despite this, only 1% of healthcare organizations have a low-risk email security posture, while 30% are classified as high-risk. The average cost of a healthcare email breach is 9.8 million, not including HIPAA fines, which totalled over 9.8 million, not including HIPAA fines, which totalled over 9 million last year alone.

Recent settlements, like Solara Medical Supplies’ $9.76 million penalty after a phishing attack compromised 114,000 patient records, underscore the stakes. As cybercriminals grow more sophisticated, leveraging AI and exploiting cloud-based email systems, healthcare organizations must urgently adopt stricter security measures. Paubox emphasizes the need for mandatory enforcement of DMARC and SPF protocols, along with continuous evaluation of email defenses. “Even established tools are just a starting point,” said Rick Kuwahara, Paubox’s chief compliance officer. “To protect patient data, organizations must add layers of defense and stay proactive in their compliance efforts.”

Source