Why Email Security Must Be Healthcare’s Top Priority

In the past two years, U.S. healthcare organizations have endured an unprecedented wave of data breaches, exposing over 409 million patient records—but the root cause often lies in misconfigured email systems and inadequate protections. Below, we unpack the scale of this crisis, explore the vulnerability of Microsoft 365 environments, highlight critical security gaps, and outline practical steps to safeguard patient data.

Two recent studies reveal that 409 million personal health records were compromised across 1,200 documented incidents—an average of more than 500,000 records exposed per breach. The sheer volume underscores the gravity of lax security controls within healthcare IT environments.  

Nearly 43.3% of healthcare breaches traced back to Microsoft 365 platforms, not because the service is inherently insecure but due to widespread misconfigurations in email security settings. Default or incomplete setups allow threat actors to bypass filters, spoof domains, and deliver phishing campaigns directly to inboxes.

Despite a 50% increase in cybersecurity spending since 2018, 98.9% of breached healthcare organizations lacked essential protections like MTA-STS, leaving SMTP communications vulnerable to interception and man-in-the-middle exploits. Meanwhile, over one-third of Microsoft 365 users maintained DMARC in “monitor-only” mode—offering visibility but not enforcement, which allows malicious emails to slip through unchecked.

Email remains healthcare’s most exploited attack surface—and failure to secure it carries not only the risk of massive data exposure but also hefty HIPAA fines and reputational damage. By applying rigorous configuration standards, enforcing strong authentication, and weaving email security into broader threat-detection efforts, healthcare organizations can dramatically reduce their risk and protect the very patients they serve.

How InfoSight Can Help

When securing your healthcare email infrastructure, InfoSight delivers a full suite of services to harden every layer:

• Email Security Assessments via our Vulnerability & Cybersecurity Assessments identify misconfigurations in Microsoft 365 and other mail systems.

• Phishing Simulations & Awareness Training powered by our Mitigator Vulnerability & Threat Manager, including a built-in email-phishing tool.

• 24×7 SOC-as-a-Service for continuous email-event monitoring, rapid triage, and containment—learn more at InfoSight SOCaaS.

• Managed Endpoint Detection & Response (EDR) to stop malicious payloads and lateral movement in real time: Managed EDR.

• Penetration Testing Services, including targeted Microsoft 365 configuration reviews and simulated phishing campaigns: Penetration Testing.

By combining these capabilities, InfoSight helps healthcare organizations enforce email-security best practices, meet HIPAA requirements, and dramatically reduce breach risk.

Interested in knowing more about how we can help mitigate cyber risk and assit with HIPPA Compliance?  Send us an email.

Sources: Indusface/IT Pro (May 2025) IT Pro; BusinessWire & Security Magazine (Mar 2025) Business WireSecurity Magazine