Paubox Research on Email Security Identifies Top Security Risks in 2026
New research from Paubox has highlighted the top email security risks for healthcare organizations in 2026. The greatest risk lies not with novel and increasingly sophisticated threats, but the foundational weaknesses in email security that have existed and been exploited by threat actors for years.
The latest data show that cyber threat actors are relying less on vulnerabilities and are focused on compromised credentials for initial access to networks. Email is the leading entry point for cybercriminals and the root cause of many data breaches, especially in healthcare. Cybercriminals are using email to obtain credentials that provide them with the foothold they need for an extensive compromise, including data theft, extortion, and file encryption with ransomware. The extent to which email is used, and the weaknesses in email security that facilitate attacks, have been explored by the leading HIPAA-compliance email firm Paubox in its 2026 Healthcare Email Security Report.
Based on data reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), at least 170 email-related data breaches occurred in 2025 that involved the exposure or acquisition of electronic protected health information (ePHI). There was a slight decline in email incidents year-over-year, although Paubox’s analysis has shown that email-based data breaches are still highly prevalent and, in most cases, were the result of foundational security gaps – poorly configured security tools, a lack of appropriate safeguards, and human factors – that have remained largely unchanged for years and are widespread among HIPAA-covered entities and their business associates.
A concerning number of HIPAA-regulated entities were found to have failed to implement email security measures that have been recommended for many years. Paubox’s analysis of organizations that experienced an email security incident in 2025 found that three-quarters lacked effective DMARC enforcement, a basic security measure that instructs receiving mail servers to ignore, quarantine, or reject emails that fail authentication checks. Worringly, more than half of breached organizations relied on missing or permissive Sender Policy Framework (SPF) records to determine whether an email was sent from a server authorized to use a domain, leaving them at a high risk of phishing and spear phishing emails being delivered to end users.
Out of the HIPAA-covered entities and business associates that experienced an email breach, none enforced the Mail Transfer Agent Strict Transport Security (MTA-STS) security standard, which forces mail servers to encrypt messages to prevent interception in transit. MTA-STS ensures that emails are only delivered via a trusted and secure connection. Without encryption, healthcare organizations are at risk of man-in-the-middle (MITM) attacks.
Microsoft 365 is extensively used in healthcare for email, and while the platform includes multiple security tools, they do not necessarily equate to better security and fewer data breaches. The analysis revealed that 53% of email-related healthcare data breaches occurred in Microsoft 365 environments. What is clear is that healthcare organizations are exposing themselves to email-based attacks due to incomplete and poorly implemented configurations, and the security measures they have deployed have failed to keep pace with modern email threats.
As has long been the case, most email-related incidents are the result of phishing, spoofing, improper handling of emails, and credential compromise, and in the large part, email incidents from these causes are mostly preventable. Unless healthcare organizations address their foundational weaknesses in email security, email will remain a leading cause of cyberattacks and data breaches.
Paubox’s analysis of email security configurations found that 41% of breached organizations fell into a high-risk category. While that percentage should have reduced year-over year, it actually increased from 31% of breached organizations in 2024. There were even cases in 2025 where the same organization experienced multiple email-related data breaches, showing they failed to understand and address the foundational email security weaknesses that were exploited.
It is foundational weaknesses in email security that create the biggest email security risk for healthcare organizations. While there is always a threat of novel and increasingly sophisticated attacks, in reality, there is no driving force compelling threat actors to seek new and more sophisticated attack methods, as the same tried and tested techniques exploiting common security weaknesses are still proving successful.
Looking forward to the rest of 2026 and beyond, healthcare organizations need to consider the foundational security weaknesses that are routinely being exploited, as this is where the bulk of the risk exists. “Future breaches are more likely to occur in environments where the same misconfigurations and security gaps have existed for years, rather than as the result of new attack techniques,” explained Paubox.
Addressing these risks is naturally important for preventing costly operational disruptions and data breaches, but it is also essential for HIPAA compliance. OCR has imposed several penalties for email-related data breaches – not for an individual being duped by a phishing email, but for basic security failures that made such an attack possible.
A comprehensive and accurate risk analysis to assess reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI is vital for HIPAA compliance, and even more important for avoiding penalties under OCR’s current HIPAA enforcement drive. OCR has also stated that it will be expanding this initiative to cover risk management, to ensure that identified risks are reduced to a low and acceptable level.
According to KnowBe4 research, phishing attacks increased by 17% year-over-year. Given the high risk of email-based attacks, the risk analysis must naturally cover email security and risks related to spoofing and phishing; however, Paubox warns that the risk analysis must also cover emerging risks. They include how emerging tools interact with existing infrastructure, AI tools processing PHI outside of sanctioned systems, whether DMARC and SPF are protecting against AI-generated outbound communications, if encryption is being routinely applied or is reliant on user decisions, and if logging and monitoring controls are capturing AI-assisted communications to the same extent as traditional email workflows.
One of the ways that risk can be managed is by reducing human decision points as far as possible, as human error and poor end user security decisions are inevitable. Previous Paubox research found that 86% of healthcare IT leaders admitted awareness that users were bypassing security controls to reduce workflow friction. When encryption was left to the discretion of employees, emails that should have been encrypted were not, either through employee error or the avoidance of workflow disruption. The simple solution for HIPAA compliance is to take the decision away from employees and enforce encryption for all emails in transit. That ensures HIPAA-compliant message delivery regardless of the sender, recipient, or message content. With Paubox, that can be achieved without portals, passwords, or additional steps that impact workflows.
The high number of security incidents in Microsoft 365 environments and the regularity with which threats are bypassing security controls show a clear need for augmented security. Paubox’s email security suite adds additional layers of security on top of Microsoft 365, Google Workspace, and Exchange security measures, without the need for plug-ins, additional staff training, or new workflows.
Through enhanced threat protection and the elimination of the workflow friction that leads employees to bypass security controls, healthcare organizations can make significant email security improvements, prevent email data breaches, and clearly demonstrate HIPAA email compliance in the event of a compliance audit or OCR investigation.
