Report: What 170 health care email breaches had in common

Health care organizations reported 170 email-related breaches to the Health and Human Services (HHS) Office for Civil Rights in 2025, down from 180 the year before. The decline may look like progress, but the details suggest otherwise.

Those findings come from the 2026 Healthcare Email Security Report, published in February 2026 by Paubox, a Health Insurance Portability and Accountability Act-compliant email security company.

The report analyzed each breached organization’s publicly observable email configuration data — specifically the authentication and encryption protocols that form the baseline of modern email security. What it found was a consistent set of missing or misconfigured controls, and a breach population that, on average, had weaker security than the year before.

“The breaches ahead are unlikely to come from novel attacks,” the report states. “They’ll come from the same gaps that have been there for years, gaps that organizations have had time to close but haven’t.”

The 2026 Healthcare Email Security Report analyzed email-related breaches reported to the HHS Office for Civil Rights between Jan. 1 and Dec. 31, 2025.

“Patients must be able to trust that sensitive health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need,” said Melanie Fontes Rainer, J.D., director of the HHS Office for Civil Rights.