The report paints a worrying picture of the sector’s current cybersecurity readiness, especially as healthcare becomes an increasingly common target for cybercriminals
A new report from Paubox has shed light on serious email security vulnerabilities in the healthcare sector, revealing that a majority of organisations continue to struggle with protecting patient data from cyber threats. According to the findings, 60 per cent of healthcare IT leaders reported email-related security incidents over the past year, many of which resulted in exposure of sensitive patient information.
Despite the scale of the problem, reporting remains alarmingly low. The report found that only 5 per cent of known phishing attacks and just 4 per cent of HIPAA-related email violations are brought to the attention of security teams. This gap between incident occurrence and internal reporting is raising concerns about the effectiveness of current cybersecurity practices in the healthcare industry.
“Cyber attacks directly compromise patient safety, making robust email security essential,” said Andrea Palm, Deputy Secretary of Health and Human Services, highlighting the direct link between data protection and patient wellbeing.
The report also points to a broader issue within healthcare infrastructure. While many organisations believe they are prepared, the reality appears different. Most healthcare IT leaders underestimate the financial and reputational cost of a HIPAA violation—by as much as four times, according to the data.
Even more striking is the finding that this underreporting cannot be chalked up to a lack of awareness. Nearly 90 per cent of the surveyed organisations conduct regular training on email security best practices. This suggests that the issue may be more deeply rooted in system design, communication workflows, and institutional culture than previously assumed.
“Healthcare doesn’t need more patchwork fixes—it needs a mindset shift,” said Hoala Greevy, CEO of Paubox. “Patients expect secure, convenient communication, and it’s on us to meet that standard. With AI, automation, and built-in encryption, we can proactively defend patient data before threats ever hit the inbox. That’s exactly what we built ExecProtect+ to do—eliminate risk at the source, not after the damage is done.”
The report paints a worrying picture of the sector’s current cybersecurity readiness, especially as healthcare becomes an increasingly common target for cybercriminals. With email remaining the primary entry point for cyberattacks, experts argue that more comprehensive and preventative approaches are urgently needed.
As the healthcare industry continues to digitalise, the need for robust, AI-enabled, and seamlessly integrated security solutions will only grow. Paubox’s findings serve as a timely reminder that cybersecurity in healthcare must be more than just a checkbox—it should be treated as a foundational element of patient care.
