Due to its near-universal adoption, speed, and cost-effectiveness, email remains one of the most common communication channels in healthcare. Consequently, it’s one of the most frequent targets for cyber attacks, as malicious actors are acutely aware of the vast amounts of sensitive data contained in messages – and standard email communication’s inherent vulnerabilities.
In light of this, healthcare organizations must remain aware of the evolving email threat landscape, and implement effective strategies to protect the electronic protected health information (ePHI) included in email messages. Failing to properly secure email communications jeopardizes patient data privacy, which can disrupt operations, result in costly HIPAA compliance violations, and, most importantly, compromise the quality of their patients’ healthcare provision.
With all this in mind, this post details the biggest email threats faced by healthcare organizations today, with the greatest potential to cause your business or practice harm by compromising patient and company data. You can also get our 2025 report on the latest email threats, which includes strategies on how to overcome them.
Ransomware Attacks
Ransomware is a type of malware that encrypts, corrupts, or deletes a healthcare organization’s data or critical systems, and enables the cybercriminals that deployed it to demand a payment (i.e., a ransom) for their restoration. Healthcare personnel can unwittingly download ransomware onto their devices by opening a malicious email attachment or clicking on a link contained in an email.
In recent years, ransomware has emerged as the email security threat with the most significant financial impact. In 2024, for instance, there were over 180 confirmed ransomware attacks with an average paid ransom of nearly $1 million.
Email Client Misconfiguration
While a healthcare organization may implement email security controls, many fail to know the security gaps of their current email service provider (ESP) or understand the value of a HIPAA compliant email platform, leaving data vulnerable to email threats, such as unauthorized access and ePHI exposure, and also, subsequently, a greater risk of compliance violations and reputation damage.
Common types of email misconfiguration include:
- Lack of enforced TLS encryption: resulting in emails being transmitted in plaintext, rendering the patient data they contain readable by cybercriminals in the event of interception during transit.
- Improper SPF/DKIM/DMARC setup: failure to configure or align these email authentication protocols correctly gives malicious actors greater latitude to successfully spoof trusted domains.
- Disabled or lax user authentication: a lack of authentication measures, such as multi-factor authentication (MFA), increases the risk of unauthorized access and ePHI exposure.
- Misconfigured secure email gateways: incorrect rules or filtering policies can allow phishing emails through or block legitimate messages.
- Outdated or unsupported email client software: simply neglecting to download and apply the latest updates or patches from the email client’s vendor can leave vulnerabilities, which are well-known to cybercriminals, exposed to attack.
Social Engineering Attacks
A social engineering attack involves a malicious actor deceiving or convincing healthcare employees into granting unauthorized access or exposing patient data. Relying on psychological manipulation, social engineering attacks exploit a person’s trust, urgency, fear, or curiosity, and encompass an assortment of threats, including phishing and business email compromise (BEC) attacks, which are covered in greater depth below.
Phishing
As mentioned above, phishing is a type of social engineering attack, but they are so widespread that it warrants its own mention. Phishing sees malicious actors impersonating legitimate companies, or their employees, to trick victims into revealing sensitive patient data.
Subsequently, healthcare organizations can be subjected to several different types of phishing attacks, which include:
- General phishing: otherwise known as bulk phishing or simply ‘phishing’, these are broad, generic attacks where emails are sent to large numbers of recipients, impersonating trusted entities to steal credentials or deliver malware.
- Spear phishing: more targeted attacks that involve personalized phishing emails crafted for a specific healthcare organization or individual. These require more research on the part of malicious actors and typically use relevant insider details gleaned from their reconnaissance for additional credibility.
- Whaling: a form of spear phishing that specifically targets healthcare executives or other high-level employees.
- Clone phishing: when a cybercriminal duplicates a legitimate email that was previously received by the target, replacing links or attachments with malicious ones.
- Credential phishing: also known as ‘pharming’, this involves emails that link to fake login pages designed to capture healthcare employees’ usernames and passwords under the guise of frequently used legitimate services.
Domain Impersonation and Spoofing
This category of threat revolves around making malicious messages appear legitimate, which can allow them to bypass basic email security checks. As alluded to above, these attacks exploit weaknesses in email client misconfigurations to trick the recipient, typically to expose and exfiltrate patient data, steal employee credentials, or distribute malware.
Domain spoofing email threats involve altering the “From” address in an email header to make it appear to be from a legitimate domain. If a healthcare organization fails to properly configure authentication protocols like SPF, DKIM, and DMARC, there’s a greater risk of their email servers failing to flag malicious messages and allowing them to land in users’ inboxes.
Domain impersonation, on the other hand, requires cybercriminals to register a domain that closely resembles a legitimate one. This may involve typosquatting, e.g., using “paypa1.com” instead of “paypal.com”. Alternatively, a hacker may utilize a homograph attack, which substitutes visually similar characters, e.g., from different character sets, such as Cyrillic. Malicious actors will then send emails from these fraudulent domains, which often have the ability to bypass basic email filters because they aren’t exact matches for blacklisted domains. Worse still, such emails can appear authentic to users, particularly if the attacker puts in the effort to accurately mimic the branding, formatting, and tone used by the legitimate entity they’re attempting to impersonate.
Insider Email Threats
In addition to external parties, employees within a healthcare organization can pose email threats to the security of its PHI. On one hand, insider threats can be intentional, involving disgruntled employees or third-party personnel abusing their access privileges to steal or corrupt patient data. Alternatively, they could be the result of mere human error or negligence, stemming from ignorance, or even fatigue.
What’s more, insider threats have been exacerbated by the rise of remote and flexible conditions since the onset of the COVID-19 pandemic, which has created more complex IT infrastructures that are more difficult to manage and control.
Business Email Compromise (BEC) Attacks
A BEC attack is a highly targeted type of social engineering attack in which cybercriminals gain access to, or copy, a legitimate email account to impersonate a known and trusted individual within an organization. BEC attacks typically require extensive research on the targeted healthcare company and rely less on malicious links or attachments, unlike phishing, which can make them difficult to detect.
Due to the high volume of emails transmitted within the healthcare industry, and the sensitive nature of PHI often included in communications to patients and between organizations, the healthcare industry is a consistent target of BEC attacks.
BEC attacks come in several forms, such as:
- Account compromise: hijacking a real employee’s account and sending fraudulent messages.
- Executive fraud: impersonating high-ranking personnel to request urgent financial transactions or access to sensitive data.
- Invoice fraud: pretending to be a vendor asking for the payment of a fraudulent invoice into an account under their control.
Supply Chain Risk
Healthcare organizations increasingly rely on third-party vendors, including cloud service providers, software vendors, and billing or payment providers to serve their patients and customers. They constantly communicate with their supply chain partners via email, with some messages containing sensitive patient data; moreover, some of these organizations will have various levels of access to the PHI under their care.
Consequently, undetected vulnerabilities or lax security practices within your supply chain network could serve as entry points for email threats and malicious action. For instance, cybercriminals can compromise the email servers of a healthcare company’s third-party vendor or partner, and then send fraudulent emails from their domains to deploy malware or extract patient data.
Another, somewhat harrowing, way to understand supply chain risk is that while your organization may have a robust email security posture, in reality, it’s only as strong as that of your weakest third-party vendor’s security controls.
Download LuxSci’s Email Cyber Threat Readiness Report
To gain further insight into the biggest email threats to healthcare companies in 2025, including increasingly prevalent AI threats, download your copy of LuxSci’s Email Cyber Threat Readiness Report.
You’ll also learn about the upcoming changes to the HIPAA Security Rule and how it’s set to impact your organization going forward, and the most effective strategies for strengthening your email security posture.
Grab your copy of the report here and begin the journey to strengthening your company’s email threat readiness today.
