Small Medical Practices Are Sitting Ducks for Healthcare Cybercrime

August 19, 2025 at 16:19 PM EDT

New survey reveals 98% of small healthcare organizations falsely believe they're HIPAA compliant while operating with dangerous security gaps

Over 90% of U.S. healthcare providers operate as small organizations, yet a new Paubox report titled "What small healthcare practices get wrong about HIPAA and email security" reveals these practices are unknowingly exposing themselves to cyber attacks and federal compliance violations.

The study of 214 healthcare IT leaders and practice managers at organizations with fewer than 250 employees found that nearly all small practices (98%) claim their platforms "encrypt emails by default"—but most are using common tools like Microsoft 365 or Google Workspace that often fail to provide actual protection.

"Nearly half of healthcare email breaches stem from Microsoft 365 alone," the survey found. The problem is that encryption may drop if a recipient's server doesn't support modern protocols, often without any alert to the sender—leaving protected health information completely exposed.

The confidence crisis

More than 80% of small practices expressed confidence in their current HIPAA compliance posture, but the reality is far different. The survey found widespread misconceptions that are creating massive compliance gaps:

83% believe patient consent removes the need for encryption—a costly misunderstanding. Federal regulations still require "appropriate safeguards" under the HIPAA Security Rule, even when patients agree to electronic communication. Getting a patient's okay to email doesn't eliminate the legal requirement for encryption and other protective measures.

64% believe patient portals are required for HIPAA compliance—yet the regulations say the opposite. HIPAA explicitly gives patients the right to request communication "by alternative means or at alternative locations, if reasonable." Portals are just one option among many, including secure direct email when proper safeguards are in place.

20% don't utilize any form of email archiving or audit trail—leaving one in five practices unable to investigate incidents after they happen or prove compliance during federal audits.

These misconceptions create compliance violations that practices don't even realize exist, with healthcare providers unknowingly breaking federal law while genuinely believing they're following the rules.

Cybercriminals target the vulnerable

Phishing attacks—the leading cause of healthcare breaches—now account for over 70% of healthcare data breaches as of 2024. Small practices are prime targets because they typically lack dedicated security staff, formal training programs, or technical defenses.

The survey found that 43% of small healthcare organizations reported experiencing a phishing or spoofing incident in the past year. Meanwhile, about 50% of these organizations lack anti-phishing controls beyond default spam filters, and nearly 99% have not implemented secure email transfer protocols.

"Phishing attacks have evolved—they're faster, smarter, and relentless," noted Paubox CEO, Hoala Greevy. "It's not about one-off scams anymore; it's deception at scale."

Beyond the breach

When breaches occur, small practices face the same serious consequences as large health systems. Recent examples from the past year include:

Solara Medical: $9.76 million class-action settlement following a phishing attack
Sunrise Community Health: Email compromise affecting 54,000+ patients
Salud Family Health: Phishing attack exposing 80,000+ records

Even smaller penalties come with major operational costs. Agape Health, a North Carolina clinic, paid $25,000 for emailing protected health information unencrypted to the wrong recipient, while Vision Upright MRI faced a $5,000 fine plus two years of federal monitoring after a server breach exposed over 21,000 individuals' medical imaging records.

In 2025, healthcare breaches took an average of 224 days to detect and another 84 days to contain—over 10 months total. Without proper audit trails, many small organizations lack the systems to spot breaches until it's too late.

Stretched thin and vulnerable

The survey found that small healthcare practices are operating under dangerous constraints that create the perfect storm for security failures:

One-third report not having enough time for compliance tasks—meaning critical security measures get pushed aside during busy patient care schedules. The same number have no clear policies or procedures in place, leaving staff to make up security protocols on the fly.

Only half have phishing or spoofing protection enabled, despite facing the same sophisticated attacks that target major health systems. Meanwhile, the average small healthcare employee has access to more than 5,500 sensitive files—creating massive exposure when those unprotected phishing emails inevitably get through.

This combination of time pressure, unclear guidance, and broad data access means a single clicked link can expose thousands of patient records. It's a vulnerability that cybercriminals are increasingly exploiting.

What HIPAA investigators look for

When HHS investigators arrive after a breach, they look for specific documentation that most small practices can't provide:

Proof that protected health information was encrypted in transit—not just that platforms "support" encryption
Audit logs showing who sent what to whom and whether it was properly protected
Evidence of risk assessments documenting understood vulnerabilities
Incident response procedures for when things go wrong

"Every organization, no matter the size, is required to comply with the HIPAA Security Rule," emphasized Melanie Fontes Rainer, Director of the HHS Office for Civil Rights. "Risk assessments are not optional—they're foundational."

The path forward

With federal enforcement ramping up and cybercriminals increasingly targeting small practices, the window for voluntary compliance is closing fast.

The practices that are getting ahead of this crisis share a common strategy: they've stopped relying on overworked staff to make perfect security decisions every time. Instead, they're implementing systems that encrypt every message automatically, maintain detailed audit trails without extra effort, and block phishing attacks before employees ever see them.

"The cost of compliance is far less than the cost of a breach," the survey noted—and recent settlements prove it. At $25,000 to $9.76 million per incident, even "small" violations can devastate a practice's finances and reputation.

For the 90% of healthcare providers operating as small organizations, the math is simple: invest in automated protection now, or face the much higher costs of breach response, federal penalties, and lost patient trust later. The choice is becoming less optional every day.

The complete report, "What small healthcare practices get wrong about HIPAA and email security," is available for download at https://hubs.la/Q03DslQT0.

About Paubox

Paubox is a leader in HIPAA compliant communication and marketing solutions for healthcare organizations. According to G2 rankings, Paubox leads the industry for Best Secure Email Gateway, Email Security, HIPAA Compliant Messaging Software, and Email Encryption solution, and is the only HIPAA compliant email company listed on G2's 2025 Best Healthcare Software Products. Paubox solutions include Paubox Email Suite, Paubox Marketing, Paubox Email API, Paubox Forms, and Paubox Texting. Launched in 2015, Paubox is trusted by over 7,000 healthcare organizations, including Cost Plus Drugs, Covenant Health, Devry University, and SimonMed Imaging.