Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 04, 2026 · 5 min read

Healthcare's Worst Email Breaches Come From One Thing: Stolen Passwords

Credential theft accounts for less than 20% of email incidents but causes the most damage. Here's why hospitals keep falling for the same attack.

The Numbers Tell the Story

Stolen login credentials led to the most damaging email breaches in healthcare during 2025, according to a new report from Paubox, a healthcare email security company.

The findings are stark: while phishing driven credential theft accounted for only about 17% of email breaches, those attacks exposed more than 630,000 patient records. These incidents caused disproportionate harm compared to other breach types.

Across all attack types, 170 email breaches affected 2.5 million individuals in 2025. The average breach exposed nearly 16,000 individual records.

Healthcare email security breach visualization with inbox and security alerts

Why Credential Theft Is So Effective

Credential theft attacks follow a simple pattern that's hard to detect:

  • Phishing email arrives masquerading as IT support, a vendor, or an internal system notification
  • Employee enters credentials on a fake login page that looks legitimate
  • Attacker logs in as that employee using stolen username and password
  • Access continues undetected while attackers search email history for protected health information

The key problem: once attackers have valid credentials, they appear to be legitimate users. Security systems don't flag normal login behavior from a real account.

The Microsoft 365 Problem

The report found that 43.3% of email breaches occurred on Microsoft 365 systems, making it the most compromised platform in healthcare.

This isn't necessarily a security flaw in Microsoft's product—it reflects the platform's dominance in healthcare organizations. When nearly everyone uses the same system, attackers concentrate their efforts there.

Other email platforms including Barracuda, Mimecast, and Proofpoint accounted for another 26.7% of breaches.

The Reporting Gap

One alarming finding: IT leaders estimate that only 5% of known phishing attacks are actually reported by employees to security teams.

That means 95% of phishing attempts—successful or not—happen without security teams ever knowing. Employees may recognize something suspicious, but they don't escalate it. They might assume IT already knows, worry about looking foolish, or simply be too busy to report.

This reporting gap leaves security teams blind to the actual volume of attacks targeting their organization.

Security Posture of Breached Organizations

Paubox categorized breached organizations by their security posture:

  • 31.1% High Risk: Multiple critical security gaps
  • 67.8% Medium Risk: Partial but inadequate security measures
  • 1.1% Low Risk: Comprehensive protections in place

The fact that only 1.1% of breached organizations had comprehensive security suggests that proper protection works—but also that the vast majority of healthcare organizations haven't implemented it.

The Cost of Healthcare Breaches

According to IBM's 2025 Cost of a Data Breach Report, healthcare breaches now cost an average of $11 million per incident. This makes healthcare the most expensive industry for data breaches for the 14th consecutive year.

The costs include regulatory fines, legal fees, remediation, credit monitoring for affected patients, and the operational disruption of responding to an incident. But they don't capture the full impact: patients whose medical records are exposed face lifelong risk of identity theft and discrimination.

What Organizations Should Do

The report's recommendations focus on preventing credential theft before it happens:

  • Implement phishing resistant MFA. Standard two factor authentication can be bypassed by sophisticated phishing. FIDO2 security keys and passkeys provide stronger protection.
  • Deploy inbound email security. Filter malicious emails before they reach employee inboxes. Many organizations focus on outbound security (encryption) but neglect inbound threats.
  • Create a reporting culture. Make it easy and safe for employees to report suspicious emails. The 5% reporting rate represents a massive intelligence gap.
  • Monitor for credential compromise. Check if organizational credentials appear in breach databases. Attackers often use passwords leaked from other services.

The Bottom Line

Healthcare organizations face a relentless barrage of email attacks. In the first half of 2025 alone, more than 29 million individuals were affected by healthcare data breaches reported to federal regulators.

The pattern is consistent: attackers target the weakest link—employee credentials—and use legitimate access to steal patient data. Until healthcare organizations address credential security, the breaches will continue.

For patients, this means your medical records may be less secure than your banking information. For healthcare workers, it means that suspicious email could be the start of a breach affecting thousands of people.