Paubox Research on Email Security Identifies Top Security Risks in 2026

Posted by Steve Alder

New research from Paubox has highlighted the top email security risks for healthcare organizations in 2026. The greatest risk lies not with novel and increasingly sophisticated threats, but the foundational weaknesses in email security that have existed and been exploited by threat actors for years.

The latest data show that cyber threat actors are relying less on vulnerabilities and are focused on compromised credentials for initial access to networks. Email is the leading entry point for cybercriminals and the root cause of many data breaches, especially in healthcare. Cybercriminals are using email to obtain credentials that provide them with the foothold they need for an extensive compromise, including data theft, extortion, and file encryption with ransomware. The extent to which email is used, and the weaknesses in email security that facilitate attacks, have been explored by the leading HIPAA-compliance email firm Paubox in its 2026 Healthcare Email Security Report.

Based on data reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), at least 170 email-related data breaches occurred in 2025 that involved the exposure or acquisition of electronic protected health information (ePHI). There was a slight decline in email incidents year-over-year, although Paubox’s analysis has shown that email-based data breaches are still highly prevalent and, in most cases, were the result of foundational security gaps – poorly configured security tools, a lack of appropriate safeguards, and human factors – that have remained largely unchanged for years and are widespread among HIPAA-covered entities and their business associates.

A concerning number of HIPAA-regulated entities were found to have failed to implement email security measures that have been recommended for many years. Paubox’s analysis of organizations that experienced an email security incident in 2025 found that three-quarters lacked effective DMARC enforcement, a basic security measure that instructs receiving mail servers to ignore, quarantine, or reject emails that fail authentication checks. Worringly, more than half of breached organizations relied on missing or permissive Sender Policy Framework (SPF) records to determine whether an email was sent from a server authorized to use a domain, leaving them at a high risk of phishing and spear phishing emails being delivered to end users.

Out of the HIPAA-covered entities and business associates that experienced an email breach, none enforced the Mail Transfer Agent Strict Transport Security (MTA-STS) security standard, which forces mail servers to encrypt messages to prevent interception in transit. MTA-STS ensures that emails are only delivered via a trusted and secure connection. Without encryption, healthcare organizations are at risk of man-in-the-middle (MITM) attacks.

Microsoft 365 is extensively used in healthcare for email, and while the platform includes multiple security tools, they do not necessarily equate to better security and fewer data breaches. The analysis revealed that 53% of email-related healthcare data breaches occurred in Microsoft 365 environments. What is clear is that healthcare organizations are exposing themselves to email-based attacks due to incomplete and poorly implemented configurations, and the security measures they have deployed have failed to keep pace with modern email threats.

As has long been the case, most email-related incidents are the result of phishing, spoofing, improper handling of emails, and credential compromise, and in the large part, email incidents from these causes are mostly preventable. Unless healthcare organizations address their foundational weaknesses in email security, email will remain a leading cause of cyberattacks and data breaches.

Paubox’s analysis of email security configurations found that 41% of breached organizations fell into a high-risk category. While that percentage should have reduced year-over year, it actually increased from 31% of breached organizations in 2024. There were even cases in 2025 where the same organization experienced multiple email-related data breaches, showing they failed to understand and address the foundational email security weaknesses that were exploited.

It is foundational weaknesses in email security that create the biggest email security risk for healthcare organizations. While there is always a threat of novel and increasingly sophisticated attacks, in reality, there is no driving force compelling threat actors to seek new and more sophisticated attack methods, as the same tried and tested techniques exploiting common security weaknesses are still proving successful.

Looking forward to the rest of 2026 and beyond, healthcare organizations need to consider the foundational security weaknesses that are routinely being exploited, as this is where the bulk of the risk exists. “Future breaches are more likely to occur in environments where the same misconfigurations and security gaps have existed for years, rather than as the result of new attack techniques,” explained Paubox.

Addressing these risks is naturally important for preventing costly operational disruptions and data breaches, but it is also essential for HIPAA compliance. OCR has imposed several penalties for email-related data breaches – not for an individual being duped by a phishing email, but for basic security failures that made such an attack possible.

A comprehensive and accurate risk analysis to assess reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI is vital for HIPAA compliance, and even more important for avoiding penalties under OCR’s current HIPAA enforcement drive. OCR has also stated that it will be expanding this initiative to cover risk management, to ensure that identified risks are reduced to a low and acceptable level.

According to KnowBe4 research, phishing attacks increased by 17% year-over-year. Given the high risk of email-based attacks, the risk analysis must naturally cover email security and risks related to spoofing and phishing; however, Paubox warns that the risk analysis must also cover emerging risks. They include how emerging tools interact with existing infrastructure, AI tools processing PHI outside of sanctioned systems, whether DMARC and SPF are protecting against AI-generated outbound communications, if encryption is being routinely applied or is reliant on user decisions, and if logging and monitoring controls are capturing AI-assisted communications to the same extent as traditional email workflows.

One of the ways that risk can be managed is by reducing human decision points as far as possible, as human error and poor end user security decisions are inevitable. Previous Paubox research found that 86% of healthcare IT leaders admitted awareness that users were bypassing security controls to reduce workflow friction. When encryption was left to the discretion of employees, emails that should have been encrypted were not, either through employee error or the avoidance of workflow disruption. The simple solution for HIPAA compliance is to take the decision away from employees and enforce encryption for all emails in transit. That ensures HIPAA-compliant message delivery regardless of the sender, recipient, or message content. With Paubox, that can be achieved without portals, passwords, or additional steps that impact workflows.

The high number of security incidents in Microsoft 365 environments and the regularity with which threats are bypassing security controls show a clear need for augmented security. Paubox’s email security suite adds additional layers of security on top of Microsoft 365, Google Workspace, and Exchange security measures, without the need for plug-ins, additional staff training, or new workflows.

Through enhanced threat protection and the elimination of the workflow friction that leads employees to bypass security controls, healthcare organizations can make significant email security improvements, prevent email data breaches, and clearly demonstrate HIPAA email compliance in the event of a compliance audit or OCR investigation.

The post Paubox Research on Email Security Identifies Top Security Risks in 2026 appeared first on The HIPAA Journal.

ID Care & CommuniCare Announce Data Breaches

Posted by Steve Alder

ID Care in New Jersey and Barrio Comprehensive Family Health Care Center (CommuniCare) in Texas have confirmed that patients’ personal and protected health information have been compromised in recent data security incidents.

ID Care

ID Care, a New Jersey-based network of board-certified infectious disease specialists, has recently disclosed a data security incident that involved unauthorized access to the personal and protected health information of current and former patients.

Suspicious activity was identified within certain systems on November 5, 2025. Industry-leading cybersecurity specialists were engaged to investigate the activity and confirmed that an unknown actor gained access to its network and accessed or downloaded files without authorization.

ID Care is currently reviewing the affected files, and while that process has not yet been completed, ID Care has confirmed that the affected files contained full names, dates of birth, Social Security numbers, health insurance information, and medical information, including diagnoses, treatment information, and prescription information.

Policies and procedures are being reviewed to reduce the likelihood of similar incidents in the future, and the HHS’ Office for Civil Rights has been notified about the data breach. The data breach is not yet shown on the OCR breach portal, so the scale of the breach is currently unclear.

Barrio Comprehensive Family Health Care Center (CommuniCare)

Barrio Comprehensive Family Health Care Center (CommuniCare), a non-profit clinic in San Antonio, Texas, has identified unauthorized access to an employee’s email account. The email account breach was identified on September 16, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. CommuniCare determined that emails in the account had been accessed without authorization, some of which contained patient information.

Following a lengthy review of the affected emails and files, CommuniCare determined on February 19, 2026, that they contained first and last names, in combination with one or more of the following: dates of birth, health insurance account/member/group numbers, clinical information, diagnoses, medical treatment/procedure information, prescription information, provider locations, and patient account numbers.

CommuniCare said it is unaware of any misuse of patient data as a result of the incident, nor does it have any reason to believe that any information in the compromised account will be misused; however, the affected individuals have been advised to remain vigilant against data misuse by monitoring their accounts, explanation of benefits statements, and free credit reports for suspicious activity. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post ID Care & CommuniCare Announce Data Breaches appeared first on The HIPAA Journal.

Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine

Posted by Steve Alder

Centerwell, a provider of senior healthcare services in 30 U.S. states, has experienced a cyberattack and data breach. Lakeside Pediatric & Adolescent Medicine has recently notified individuals affected by an October 2024 data breach.

Centerwell

Centerwell, a Louisville, Kentucky-based provider of healthcare services to seniors, has recently reported a data breach to the Texas Attorney General that involved unauthorized access to patient information.

The scale of the breach is currently unclear, other than the personal and protected health information of 4,618 Texas residents was compromised in the incident. The breach could be substantially larger, as Centerwell provides senior healthcare services in 30 U.S. states. The Texas Attorney General was informed on March 6, 2026, that data compromised in the incident includes names, addresses, dates of birth, and medical information. At the time of writing, the affected individuals have not been informed by mail, and no known threat group has publicly claimed responsibility for the incident.

This post will be updated when further information about the incident is released.

Lakeside Pediatric & Adolescent Medicine

Lakeside Pediatric & Adolescent Medicine (Lakeside), a Coeur d’Alene, Idaho-based healthcare provider, has started notifying patients about an October 2024 data security incident. Lakeside identified unauthorized access to its computer systems in late 2024. The forensic investigation confirmed that an unauthorized third party accessed its computer systems on November 1, 2024, and on December 15, 2024, Lakeside confirmed that there had been unauthorized access and potential acquisition of files containing patient information.

On January 1, 2025, Lakeside confirmed in a website breach notice that personal and protected health information had been compromised in the incident, although the data review was ongoing at that time. On or around December 26, 2025, Lakeside confirmed the data types involved, although the website notice has not been updated to state what those data types are.

In a breach notice submitted to the Washington Attorney General, Lakeside confirmed that single-bureau credit monitoring and identity theft protection services are being offered to the affected individuals, and that 1,314 Washington residents were affected. The incident has not yet been listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals in total have been affected.

The post Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine appeared first on The HIPAA Journal.