RapidScale Blog

Email security for healthcare: Protecting PHI in the inbox

Written by RapidScale | Jul 13, 2026 12:00:00 PM

Email is a primary method of communication in healthcare, and hackers know it. They frequently target email inboxes in an attempt to expose protected health information (PHI).

Using email is essential, so how can healthcare organizations reduce the chances of exposing PHI to email attacks?

This guide explains the nature of email-based threats to patient data, how to significantly mitigate them, and provides a HIPAA-aligned checklist you can use to ensure your email communications are secure.

What does it mean to protect PHI in email?

Protecting PHI in email involves a combination of technical and administrative controls designed to prevent PHI from being stolen or exposed.

Some of the most common controls include:

  • Encryption
  • Access management
  • Email monitoring
  • Data loss prevention (DLP) tools
  • Patient names and other personally identifiable information (PII)
  • The results of the labs
  • Insurance coverage, payment, and policy details
  • Billing information
  • Medical history data
  • Sensitive internal clinical communications

By combining these tools and aligning your efforts with HIPAA security and privacy standards, you can drastically reduce the threat of successful email attacks and make your entire organization, and the data of the patients you serve, more secure.

Why email is a major healthcare threat vector

In healthcare, emails often contain a range of very sensitive and valuable information, such as:

At the same time, it’s not just the contents of emails that motivate attackers to exploit this vector. Bad actors may also compromise email accounts or pretend to be someone an employee trusts so they can obtain login information and other access credentials using phishing attacks.

Top email threats facing healthcare organizations

By addressing the following threats, you ensure email is a trusted, resilient business channel, not a risk surface.

Phishing attacks

A phishing email involves an attacker trying to trick a team member into handing over login credentials, clicking a malicious link, or downloading malware.

For example, a hospital nurse, Nancy, may get an email that looks like it comes from the IT department. It says something to the effect of, “Your email account will be disabled because you’re approaching storage limits. Click here to verify your credentials.”

The link then takes the nurse to a fake Microsoft 365 page. After she enters her username and password, it gets sent to an attacker’s server.

The attacker can then log into her email inbox.

Once they’ve gotten inside her email, they can start searching for sensitive information using search terms like “patient record,” “SSN,” or “insurance”.

They can also continue checking Nancy's email to get information that may help them plan a more elaborate attack down the road.

Business email compromise (BEC)

Business email compromise (BEC) happens when an attacker either gains access to a legitimate account or creates an account that looks like a legitimate one belonging to a leader, such as an executive or a manager. They then use the account to fool employees into transferring funds or revealing sensitive information.

Healthcare organizations are a prime target for BEC attacks. Since they often interact with organizations that require payments, such as insurance companies, medical suppliers, and vendors, it’s reasonable for some employees to expect requests for funds or sensitive information.

For instance, let’s say Andre, a billing manager, gets an email that looks like it comes from the CFO. It reads, “Good morning, Andre. I hope you had a good weekend at the lake with your family. We need to process an urgent payment to our new radiology vendor. Please wire $55,000 today using the payment link below.”

Notice how the attacker included details about Andre’s weekend? BEC hackers often grab personal details off social media profiles, like Facebook and Instagram, and use them to make their communications feel more authentic.

If Andre clicks on the link and sends the wire, the money ends up in a criminal’s account.

Financial and insurance fraud

It’s also common for attackers to use email to redirect payments or steal insurance reimbursements. This is especially effective against healthcare organizations because they handle so many financial transactions—insurance-based and otherwise.

Here’s how this kind of attack may transpire:

  1. An attacker compromises a medical billing employee’s email account.
  2. They start monitoring the account for communications with insurance providers.
  3. They send a message to an insurer that the employee communicates with that says something like, “Please update our clinic’s payment details because our account info has recently changed.” (They could also include personal details to make the email feel more real.)
  4. The insurer updates the payment details for what they think is the clinic’s account. In reality, they’re entering the attacker’s account information.
  5. When the insurer sends funds to “the clinic” in the future, they’re actually sending them to the attacker.

It’s not uncommon for this kind of attack to go on for weeks or even months because no one notices that insurance reimbursements aren’t actually being received.

Human error

Some cybersecurity issues start with relatively simple mistakes. For instance, someone can:

  • Send PHI to the wrong account, exposing it to an unauthorized person
  • Attach the wrong patient record to an email
  • Copy and paste a large list of patients into an unsecured email
  • Forward medical reports to someone outside of the organization
  • End-to-end encryption
  • Secure email portals
  • Automatic encryption policies, specifically for PHI

Consider this scenario, for instance:

A doctor wants to email lab results to a colleague, but they click on the wrong contact. The message they send has the patient’s name and their diagnosis. The doctor also attaches the patient’s lab report.

Unfortunately, under HIPAA, this is a reportable breach.

HIPAA-aligned email security checklist

The threats are diverse, but so are your options for mitigating them. Use this checklist to assess your current protections and prioritize the changes that will shrink your attack surface fastest

1. Encrypt email that contains PHI

Encryption protects sensitive information because it makes sure only an authorized recipient can read the message. For a healthcare organization, this involves using email that includes:

Here’s an example process of how encryption protects PHI:

  1. An employee who works in a lab sends results to a specialist.
  2. The email system, equipped with PHI protection capabilities, detects the PHI inside the message.
  3. The system automatically encrypts the email’s contents.
  4. It then sends the recipient a link to a secure portal to view the message.
  5. First, an employee in the billing department tries to send a spreadsheet that has 2,000 patient records filled with sensitive information to an external email address.
  6. Next, the DLP system detects the presence of PHI and blocks the message. It then sends an alert to the security team.

At this point, a few different things can happen. The recipient may be asked to enter login credentials that only they know before viewing the message's contents.

The recipient may also receive a one-time code to their phone or another device, and then use that to log in.

In some cases, the recipient has an account with the company that provides the secure portal. To access the information, the recipient must go through a multi-factor authentication (MFA) process.

Regardless of the path the recipient must take to view the message’s contents, this additional layer of security can prevent a hacker who only has the recipient’s email account and password from viewing sensitive information.

2. Use data loss prevention (DLP)

Data loss prevention tools scan emails to see if they contain sensitive information. Once they detect sensitive data, they then enforce security policies.

Your DLP system may look for social security numbers, medical record numbers, insurance policy numbers, or a range of patient identifiers.

You can set up a DLP solution to prevent sensitive data from being shared via email. Here’s how it works, using a common scenario:

If an attacker broke into someone’s email and used it to send those 2,000 patient records, the DLP system would prevent the breach. On the other hand, if an employee had simply made a mistake, the alert to the security team would give them an opportunity to remind the employee of their obligations under HIPAA when it comes to the kinds of information they can and cannot share and with whom.

Opting for a managed cloud security team can make a DLP solution even more effective. Your team works with you to set the most effective configurations, ensuring you protect the maximum amount of PHI.

3. Enable multi-factor authentication (MFA)

Since MFA forces people to authenticate using more than one method, it can stop a range of email attacks. As part of a Zero Trust approach, MFA presumes that each person trying to gain access is a threat, so they have to validate their credentials before proceeding.

Unfortunately, some people still use the same passwords for multiple accounts, and if their password has already been stolen, their work email account may be at risk.

But with MFA, the attacker needs more than an email address and password to access an account. For example, logging in may also require:

  • Authentication via a mobile authenticator app
  • A hardware token that the account owner keeps on their person
  • SMS verification codes that are sent to the account owner’s phone or other device
  • When email accounts get accessed
  • Where people log in from
  • When messages get forwarded
  • When someone opens an email and downloads a file
  • Boston, Massachusetts at 9:30 am
  • Barcelona, Spain at 9:45 am

It’s unlikely that an attacker would have both the account holder’s email/password combination and the other verification tools. In this way, MFA can prevent a variety of email hacks.

4. Maintain email audit logs

Email audit logs can keep track of crucial data that makes it easier to detect suspicious activity, such as:

For instance, suppose an audit log shows that a staff member logged in from:

This is impossible, and would trigger an alert that the security team could immediately investigate. If the legitimate user was using a VPN with a Barcelona IP address, the security team can verify that quickly by asking a few simple questions. On the other hand, if a hacker had indeed compromised the account, the security team could suspend it until the legitimate account holder has changed their credentials.

For busy IT teams, it’s encouraged to use a managed detection and response (MDR) team to handle these and other cyber incidents. This frees your team from having to comb through audit logs to look for suspicious activity because your MDR partner handles it all for you.

Email security for healthcare FAQs

Q: Is it okay to send PHI through email under HIPAA?

A: Yes, but you must have access controls in place, such as encryption or an equivalent service.

Q: Does a DLP solution automatically protect all sensitive information?

A: No, a DLP system can examine email contents for potential HIPAA issues, but senders still need to adhere to HIPAA guidelines when choosing what to send and to whom.

Q: If we use a secure portal to store encrypted email content, can someone with the recipient’s email address and password still access it?

A: If there aren’t any additional authentication requirements for viewing encrypted content, such as MFA or an account with the portal company, yes, someone with the recipient’s username and password may be able to access the encrypted content.

Build a defensible email security posture for PHI

Training staff to recognize threats and deploying encryption, DLP, MFA, and audit logging gives you layered protection against attackers targeting PHI. The strongest postures layer these controls so gaps in one are closed by another, but building and deploying that on your own is a heavy lift for a busy healthcare IT team.

RapidScale's healthcare specialists can help you assess your current posture and close the gaps. Send our team a message to learn how we keep PHI out of attackers' reach.