25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

Posted By on Oct 2, 2018

The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information. Phishing is one of the leading causes of healthcare data breaches.

In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August.

Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively.

Cofense Research Shows Healthcare Industry Lags Behind Other Industries in Resiliency to Phishing

The anti-phishing solution provider Cofense (Formerly PhishMe) recently published an Industry Brief which explored the problem of phishing in the healthcare industry.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The report, entitled ‘Say “Ah!” – A Closer Look at Phishing in the Healthcare Industry’, confirmed the extent to which the healthcare industry is targeted by cybercriminals. The healthcare industry accounts for 1/3 of all data breaches, which have resulted in the exposure or theft of more than 175 million records.

It is no surprise that the healthcare industry is targeted by hackers as healthcare organizations store vast amounts of extremely valuable data: Health information, insurance information, Social Security numbers, dates of birth, contact information, and financial data. Information that can easily be sold to identity thieves and fraudsters.

Further, the healthcare industry has historically underinvested in cybersecurity with security budgets typically much lower than in other industry sectors such as finance.

Cofense data shows that healthcare organizations fare worse than other industries in terms of susceptibility and resiliency to phishing attacks. To measure susceptibility, Cofense used data from its phishing simulation platform – Susceptibility being the percentage of healthcare employees that were fooled by a phishing simulation. Resiliency to phishing attacks is the ratio of users who reported a phishing attempt through the Cofense Reporter email add-on versus those that did not.

Across all industries, the susceptibility rate was 11.9% and the resiliency rate was 1.79. For healthcare, susceptibility was 12.4% and resiliency was 1.34. The insurance industry had a resiliency rate of 3.03 while the energy sector had a resiliency rate of 4.01.

The past few years have seen cybersecurity budgets increase and a greater emphasis placed on security and risk management. The extra funding for anti-phishing defenses is having a positive effect, although there is considerable room for improvement.

Source: Cofense

How Are Healthcare Employees Being Fooled by Phishers?

An analysis of the phishing email simulations that most commonly fooled healthcare employees reveals a mix of social and business emails. The type of email most likely to fool a healthcare employee was a requested invoice, followed by a manager evaluation, package delivery notification, and a Halloween eCard alert, all of which had a click rate above 21%. Emails about holiday eCard alerts, HSA customer service emails, and employee raffles also commonly fooled employees.

Data from Cofense Intelligence shows invoice requests to be one of the most common active threats, often used to deliver ransomware. 32.5% of healthcare employees were fooled by those emails in simulations and only 7.2% reported the emails as suspicious.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist