Email remains a primary entry point for cybercriminals seeking to infiltrate healthcare organizations, steal sensitive patient data, and disrupt operations. The FBI's Internet Crime Complaint Center (IC3) paints a stark picture, recording a staggering 880,418 complaints in 2023, leading to losses exceeding $12.5 billion across all industries. Healthcare, with its large amounts of valuable data and high-pressure environment, is directly in the line of fire. An academic paper published in BMJ Health & Care Informatics states, "Healthcare data has significant value and is a potential target for hackers." The paper goes on to note, “With the move to widespread comprehensive EPR systems and digital storage of novel information types… the potential value of health data is likely to increase and increasing sophisticated methods of gaining access are likely.”
Given these high stakes and the clear targeting of the healthcare sector, the question becomes: why is healthcare email still so vulnerable, especially when cybersecurity spending is reportedly on the rise? The newly released Paubox 2025 Healthcare Email Security Report, based on analysis of OCR-reported breaches, dives deep into the data behind these incidents. It reveals an industry often struggling with a dangerous "false sense of security," unaware of vulnerabilities until disaster strikes.
To understand the landscape of email communication in healthcare and the responsibilities involved for both providers and patients, we must first recognize the significant threats that healthcare organizations face via email
BEC is one of the most financially damaging threats organizations face. According to data from the FBI’s IC3, they tracked 21,489 BEC complaints in 2023 alone, resulting in losses exceeding USD $2.9 billion. What makes BEC so effective and particularly dangerous is that it often bypasses traditional technical defenses because it relies heavily on social engineering, expertly manipulating human psychology rather than exploiting software vulnerabilities. As an academic paper outlines, this type of threat does not require a high level of technical expertise, needing only a reasonable understanding of social engineering tactics. The paper also notes that BEC attacks saw a dramatic increase, particularly during periods of remote work and the Corona crisis.
Attackers meticulously craft emails that appear entirely legitimate, often impersonating high-ranking executives, trusted colleagues, or established vendors. These deceptive messages typically convey a strong sense of urgency, pressuring recipients to take immediate action and bypass standard verification procedures. As a study in the Journal of Cybersecurity and Privacy points out, this exploitation of trust and the creation of urgent scenarios are key characteristics of BEC attacks. Healthcare organizations, with their intricate billing cycles, numerous vendor relationships, and frequently time-sensitive financial transactions (such as payments for essential medical supplies or patient transfer costs), can be especially susceptible to these sophisticated schemes.
An illustrative example of the significant financial damage BEC attacks can inflict occurred at Children’s Healthcare of Atlanta. In 2022, the hospital became a target of a BEC scam where the attacker cleverly spoofed the email domain of a construction company actively involved in their new campus project. By convincingly impersonating the construction company's CFO, the scammer successfully convinced the hospital to redirect payments totaling a staggering $3.6 million to a fraudulent account.
Drawing from insights presented by Microsoft Security, there are five primary and common types of BEC attacks:
Phishing remains the basis of many email attacks. The FBI's 2023 report listed it as the most reported cybercrime, with 298,878 complaints. Research in the International Journal on Advanced Science Engineering Infomation Technology confirms that phishing and spoofing attacks have become a significant threat due to cybercriminals exploiting vulnerabilities and users' lack of awareness. Users often struggle to distinguish between real and fraudulent websites as these attacks have become increasingly sophisticated. To make these social engineering attacks more convincing, attackers frequently impersonate reputable companies, government organizations, or popular online services to gain victims' trust and ultimately steal login credentials or other personal information.
An example of the devastating impact of phishing is the Colonial Pipeline Ransomware attack in 2021. This attack, which led to significant disruption of fuel supplies on the U.S. East Coast, began with a seemingly harmless phishing email. Attackers successfully gained initial network access through this method, which then allowed them to deploy ransomware and ultimately demand a $4.4 million ransom payment.
Attackers often combine spoofing (making an email look like it's from a trusted sender, perhaps by slightly altering a domain name – hhs-gov.com instead of hhs.gov) with urgent language and plausible scenarios to lower the recipient's guard.
Spear Phishing takes this a step further by targeting specific individuals (like a department head or physician) with highly personalized emails, often referencing known colleagues, projects, or recent events to appear incredibly legitimate. Whaling is spear phishing aimed directly at high-level executives.
While often dismissed as mere clutter, spam email remains a significant threat vector. Research cited by the Australian Institute of Criminology examining over 13 million spam emails found over 100,000 contained malicious attachments and nearly 1.4 million included malicious web links.
Spam is a primary delivery mechanism for both phishing campaigns and malware (including ransomware). Attackers obtain email lists through website scraping, dictionary attacks (guessing common usernames at known domains like hospitals), or purchasing lists on the dark web. Effective spam filtering is required, but determined attackers constantly refine their methods to bypass basic filters, meaning some malicious messages inevitably reach inboxes.
ATO occurs when a cybercriminal successfully steals a user's login credentials (often via phishing or from previous data breaches) and gains control of their legitimate email account. Research from Fudan University stresses the prevalence, finding 22% of US adult households experienced ATOs, with significant financial losses.
MitM attacks on email are particularly dangerous. An attacker intercepts communications between two parties without either knowing. They can potentially read, modify, or inject malicious content into the emails. This is a significant risk for healthcare organizations relying on unencrypted email for transmitting PHI. An attacker on a compromised network, for example, could potentially intercept and alter medication instructions or appointment details sent via standard email, leading to serious patient safety issues. As research on MITM attacks indicates, most cryptographic systems lacking authentication security measures are vulnerable to this type of interception. Therefore, employing secure, encrypted transmission methods remains the fundamental defense against the threat posed by MitM attacks in email communications.
Look for common indicators such as urgent requests for financial transactions, slight variations in email addresses, and pressure to bypass normal verification procedures.
Phishing attacks succeed through sophisticated social engineering tactics and careful impersonation of trusted entities.
Healthcare organizations are prime targets due to their valuable patient data, complex vendor relationships, and need for rapid communication.