Analysis of breached organizations reveals missing or misconfigured basic email security controls.

Of the 170 email-related healthcare breaches that were reported to the HHS in 2025, nearly three quarters had no effective policy to stop spoofed emails from reaching employee inboxes. Over half failed to verify whether incoming messages came from authorized senders.

Those findings come from the 2026 Healthcare Email Security Report, published today by Paubox, a HIPAA compliant email security company. The report analyzed 170 email-related breach incidents disclosed to the U.S. Department of Health and Human Services Office for Civil Rights between January and December 2025.

Paubox evaluated each breached organization’s publicly observable email settings, including three protocols that form the foundation of email authentication: DMARC, which tells receiving servers how to handle messages that fail verification; SPF, which confirms whether an email was sent from an authorized server; and MTA-STS, which requires encrypted connections between mail servers to prevent interception.

The basics are still missing

Among the organizations analyzed, 74% either lacked a DMARC policy entirely or had it set to monitor-only mode, which logs failed messages but does not block them. Over half used permissive or missing SPF records, meaning messages from unauthorized servers could still be delivered. Not a single breached organization enforced MTA-STS, which encrypts connections between mail servers.

These are basic, foundation-level configurations that have been recommended by federal agencies and industry groups for years.

Microsoft 365 accounted for more than half of breaches

53% of breached organizations used Microsoft 365 as their primary email platform, up from 43% in 2024. Among those, a third had DMARC in monitor-only mode, and nearly half used soft-fail SPF policies. The report notes that the platform provides the tools to configure these settings properly, but that many organizations simply do not follow through.

Fewer breaches, but weaker security postures

The total number of breached organizations dropped from 180 in 2024 to 170 in 2025. But the organizations that were breached had worse configurations on average. 41% fell into the highest risk category based on their authentication and encryption settings, up from 31% the year before. None fell into the lowest risk category, compared to 1% previously.

What effective email security looks like in 2026

In the report, Paubox outlines several principles for healthcare organizations looking to close these gaps, starting with a simple one: secure every email you send and receive. Organizations where encryption is triggered manually, or where staff must choose whether to use a secure portal, consistently show higher rates of accidental exposure. Paubox recommends automatic encryption for all outbound email, and AI-powered threat detection for inbound email security.

The full 2026 Healthcare Email Security Report is available at https://hubs.la/Q044K5rL0.

About Paubox

Paubox is a leader in HIPAA compliant email security for healthcare. Trusted by more than 8,000 organizations, including Cost Plus Drugs, Rippling, and Covenant Health, Paubox works with your existing platform to secure every email sent and received. Paubox is rated #1 on G2 and is recognized on G2’s 2026 Best Healthcare Software Products list. Paubox offers HIPAA compliant email encryption, AI-powered inbound email security, archiving, data loss prevention, a secure email API for transactional messaging, forms, and email marketing.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260225531972/en/

Paubox outlines several principles for healthcare organizations looking to close these gaps, starting with a simple one: secure every email you send and receive.