Email remains a primary entry point for cybercriminals seeking to infiltrate healthcare organizations, steal sensitive patient data, and disrupt operations. The FBI's Internet Crime Complaint Center (IC3) paints a stark picture, recording a staggering 880,418 complaints in 2023, leading to losses exceeding $12.5 billion across all industries. Healthcare, with its large amounts of valuable data and high-pressure environment, is directly in the line of fire. An academic paper published in BMJ Health & Care Informatics states, "Healthcare data has significant value and is a potential target for hackers." The paper goes on to note, “With the move to widespread comprehensive EPR systems and digital storage of novel information types… the potential value of health data is likely to increase and increasing sophisticated methods of gaining access are likely.”
Given these high stakes and the clear targeting of the healthcare sector, the question becomes: why is healthcare email still so vulnerable, especially when cybersecurity spending is reportedly on the rise? The newly released Paubox 2025 Healthcare Email Security Report, based on analysis of OCR-reported breaches, dives deep into the data behind these incidents. It reveals an industry often struggling with a dangerous "false sense of security," unaware of vulnerabilities until disaster strikes.
Email threats
To understand the landscape of email communication in healthcare and the responsibilities involved for both providers and patients, we must first recognize the significant threats that healthcare organizations face via email
Business email compromise (BEC)
BEC is one of the most financially damaging threats organizations face. According to data from the FBI’s IC3, they tracked 21,489 BEC complaints in 2023 alone, resulting in losses exceeding USD $2.9 billion. What makes BEC so effective and particularly dangerous is that it often bypasses traditional technical defenses because it relies heavily on social engineering, expertly manipulating human psychology rather than exploiting software vulnerabilities. As an academic paper outlines, this type of threat does not require a high level of technical expertise, needing only a reasonable understanding of social engineering tactics. The paper also notes that BEC attacks saw a dramatic increase, particularly during periods of remote work and the Corona crisis.
Attackers meticulously craft emails that appear entirely legitimate, often impersonating high-ranking executives, trusted colleagues, or established vendors. These deceptive messages typically convey a strong sense of urgency, pressuring recipients to take immediate action and bypass standard verification procedures. As a study in the Journal of Cybersecurity and Privacy points out, this exploitation of trust and the creation of urgent scenarios are key characteristics of BEC attacks. Healthcare organizations, with their intricate billing cycles, numerous vendor relationships, and frequently time-sensitive financial transactions (such as payments for essential medical supplies or patient transfer costs), can be especially susceptible to these sophisticated schemes.
An illustrative example of the significant financial damage BEC attacks can inflict occurred at Children’s Healthcare of Atlanta. In 2022, the hospital became a target of a BEC scam where the attacker cleverly spoofed the email domain of a construction company actively involved in their new campus project. By convincingly impersonating the construction company's CFO, the scammer successfully convinced the hospital to redirect payments totaling a staggering $3.6 million to a fraudulent account.
Drawing from insights presented by Microsoft Security, there are five primary and common types of BEC attacks:
- Data theft: Often serving as an initial investigation step, attackers might strategically target HR or administrative staff, employing phishing techniques to gather organizational charts, detailed employee schedules, or confidential personal contact details. According to research by the Health Sector Cybersecurity Coordination Center (HC3), this preliminary intelligence gathering significantly enhances the credibility and persuasiveness of subsequent attacks, such as CEO fraud attempts. For instance, an attacker might obtain an on-call roster to know precisely when a specific physician is unavailable, thereby making a fraudulent financial request seemingly sent under that physician's authority far more believable.
- False invoice scheme: In this deceptive tactic, criminals meticulously impersonate known suppliers or established vendors, sending fraudulent invoices that are designed to appear nearly identical to genuine ones. As detailed by the HC3, they might subtly alter critical bank account details, often providing a seemingly plausible explanation, such as claiming a necessary change due to a recent "audit." This manipulation aims to divert legitimate payments for essential medical equipment or services directly into their illicit accounts.
- CEO fraud: This stands as a classic and highly effective BEC tactic where attackers expertly spoof (imitate) or, in more severe cases, directly and illicitly hack into an executive's email account, such as that of the CEO or CFO. Subsequently, they issue urgent instructions to employees, frequently those within the finance or administration departments, compelling them to make immediate wire transfers or to purchase items with easily convertible value, such as gift cards ( specifically requesting the serial numbers, which function as untraceable cash). As the HC3 notes, a seemingly urgent request originating from the hospital administrator demanding immediate payment to a "new specialized equipment vendor" can be incredibly difficult for an employee to question or delay, especially when faced with perceived pressure from a superior.
- Attorney impersonation: Attackers strategically compromise email accounts belonging to law firms that represent the healthcare organization. They then proceed to email the organization with what appear to be legitimate (but are entirely fraudulent) invoices for claimed legal services rendered or issue urgent requests pertaining to highly sensitive and confidential matters. This method effectively leverages the inherent trust and expectation of confidentiality that are fundamental to legal communications, often leading to successful deception.
- Account compromise: This technique involves gaining unauthorized access to an actual employee's email account, often targeting individuals working within finance or accounts receivable departments. From this now-compromised account, the attacker can send meticulously crafted fake invoices to the organization's trusted suppliers or long-standing partners. Alternatively, they might lie in wait to intercept legitimate incoming payment communications, subsequently redirecting the funds to accounts they control.
Phishing and spoofing
Phishing remains the basis of many email attacks. The FBI's 2023 report listed it as the most reported cybercrime, with 298,878 complaints. Research in the International Journal on Advanced Science Engineering Infomation Technology confirms that phishing and spoofing attacks have become a significant threat due to cybercriminals exploiting vulnerabilities and users' lack of awareness. Users often struggle to distinguish between real and fraudulent websites as these attacks have become increasingly sophisticated. To make these social engineering attacks more convincing, attackers frequently impersonate reputable companies, government organizations, or popular online services to gain victims' trust and ultimately steal login credentials or other personal information.
An example of the devastating impact of phishing is the Colonial Pipeline Ransomware attack in 2021. This attack, which led to significant disruption of fuel supplies on the U.S. East Coast, began with a seemingly harmless phishing email. Attackers successfully gained initial network access through this method, which then allowed them to deploy ransomware and ultimately demand a $4.4 million ransom payment.
Attackers often combine spoofing (making an email look like it's from a trusted sender, perhaps by slightly altering a domain name – hhs-gov.com instead of hhs.gov) with urgent language and plausible scenarios to lower the recipient's guard.
Spear Phishing takes this a step further by targeting specific individuals (like a department head or physician) with highly personalized emails, often referencing known colleagues, projects, or recent events to appear incredibly legitimate. Whaling is spear phishing aimed directly at high-level executives.
Spam
While often dismissed as mere clutter, spam email remains a significant threat vector. Research cited by the Australian Institute of Criminology examining over 13 million spam emails found over 100,000 contained malicious attachments and nearly 1.4 million included malicious web links.
Spam is a primary delivery mechanism for both phishing campaigns and malware (including ransomware). Attackers obtain email lists through website scraping, dictionary attacks (guessing common usernames at known domains like hospitals), or purchasing lists on the dark web. Effective spam filtering is required, but determined attackers constantly refine their methods to bypass basic filters, meaning some malicious messages inevitably reach inboxes.
Account takeover (ATO)
ATO occurs when a cybercriminal successfully steals a user's login credentials (often via phishing or from previous data breaches) and gains control of their legitimate email account. Research from Fudan University stresses the prevalence, finding 22% of US adult households experienced ATOs, with significant financial losses.
Man-in-the-Middle (MitM)
MitM attacks on email are particularly dangerous. An attacker intercepts communications between two parties without either knowing. They can potentially read, modify, or inject malicious content into the emails. This is a significant risk for healthcare organizations relying on unencrypted email for transmitting PHI. An attacker on a compromised network, for example, could potentially intercept and alter medication instructions or appointment details sent via standard email, leading to serious patient safety issues. As research on MITM attacks indicates, most cryptographic systems lacking authentication security measures are vulnerable to this type of interception. Therefore, employing secure, encrypted transmission methods remains the fundamental defense against the threat posed by MitM attacks in email communications.
FAQs
How can organizations identify BEC attacks?
Look for common indicators such as urgent requests for financial transactions, slight variations in email addresses, and pressure to bypass normal verification procedures.
What makes phishing attacks successful?
Phishing attacks succeed through sophisticated social engineering tactics and careful impersonation of trusted entities.
What makes healthcare organizations particularly vulnerable to email attacks?
Healthcare organizations are prime targets due to their valuable patient data, complex vendor relationships, and need for rapid communication.
