By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA.
A Health Care Provider Defense and Compliance Firm

A new report from Paubox reveals a staggering truth: in 2024 alone, 180 healthcare organizations experienced email-related security breaches. These weren’t minor IT mishaps—they involved HIPAA violations, compromised patient data, and potential legal fallout that can cost millions.

Despite rising investment in cybersecurity—Moody’s reports healthcare organizations increased cyber spending by 70% over the last four years—the breaches keep coming. Microsoft 365, the market leader in business email solutions, was implicated in 43.3% of the reported healthcare email incidents. That’s not because its tools aren’t robust, but because most organizations don’t implement or configure them correctly.

One of the most common missteps? Failing to activate DMARC protection. Over one-third of Microsoft 365 users in the study left DMARC in “monitor-only” mode, offering no real defense against spoofing or impersonation. These are the kinds of gaps that allow phishing attacks, credential theft, and ransomware to thrive—and that led to high-profile breaches like the Solara Medical case, where one phishing email led to $12 million in settlements and massive reputational harm.

The report details how threats have evolved. Hackers now leverage AI to craft hyper-personalized phishing emails. They exploit insider threats, credential reuse, and misconfigured email authentication protocols. And as healthcare becomes more cloud-reliant, attackers are increasingly targeting Microsoft 365, Google Workspace, and other cloud providers.

Even more concerning: only 27% of healthcare IT leaders feel confident their current email security posture can prevent a breach in 2025. That should be a wake-up call.

Compliance Must Be More Than a Checkbox

Regulators are watching closely. The Office for Civil Rights (OCR) has ramped up enforcement actions. Proposed HIPAA Security Rule changes would require covered entities and business associates to tighten protections for electronic PHI against internal and external threats. OCR Director Melanie Fontes Rainer put it bluntly: “Failure to conduct a risk analysis leaves healthcare entities exposed.”

This is not just a technology problem—it’s a leadership one. Healthcare executives must view email security as mission-critical, not just an IT task. That means:

• Conducting accurate and thorough HIPAA risk analyses.
• Enforcing full DMARC and SPF implementation.
• Investing in layered solutions that don’t rely on user behavior alone to prevent breaches.
• Training staff continuously on phishing and impersonation tactics.

A Final Word of Advice

If you’re assuming that paying for Microsoft’s E5 license or a name-brand security solution is enough, you’re already behind. Without proper configuration and enforcement, even top-tier security systems offer a false sense of protection.

Cybersecurity in healthcare isn’t about chasing the newest tech. It’s about mastering the fundamentals, closing the obvious gaps, and being honest about where your organization is vulnerable. As this report makes clear, the cost of doing nothing is too high.

If you have questions about your organization’s email security posture, HIPAA compliance obligations, or you’d like our firm to conduct a HIPAA Risk Assessment in order to avoid becoming the next headline, contact Parrella Health Law at 857.328.0382 or Chris directly at cparrella@parrellahealthlaw.com.