Overview
The 2026 Verizon Data Breach Investigations Report identifies healthcare as a sector under intensifying pressure from social engineering attacks, with threat actors increasingly targeting employees through phishing, pretexting, and related manipulation techniques to gain initial access. The annual report, which aggregates breach data across industries, shows healthcare organizations are contending with this shift even as legacy threats remain firmly in place.
Ransomware continues to account for a meaningful share of confirmed healthcare incidents, consistent with patterns documented in prior DBIR cycles. Third-party and vendor-related breaches also remain a persistent structural problem, reflecting the sector's dependence on a broad network of business associates that handle protected health information on behalf of covered entities.
The combination of escalating social engineering, active ransomware campaigns, and vendor supply-chain exposure creates a layered risk environment that disproportionately affects organizations with limited dedicated security staff — a category that includes the majority of independent and small-group practices in the United States.
## Key developments
Social engineering is growing more sophisticated and more frequent. The DBIR data shows healthcare is facing an uptick in attacks that manipulate employees directly rather than exploiting unpatched software. Pretexting — in which an attacker constructs a fabricated scenario to extract credentials or authorize fraudulent actions — has become more prevalent alongside traditional phishing campaigns.
Ransomware remains a primary threat vector. Despite years of sector-wide awareness campaigns, ransomware continues to appear in a significant proportion of healthcare breaches captured in the DBIR. Attackers have refined their targeting of healthcare, recognizing that operational disruption creates acute pressure on organizations to pay or recover quickly.
Third-party vendor compromises are a structural vulnerability. The report's findings reinforce that breaches do not always originate inside a covered entity's own network. Business associates — billing services, EHR vendors, transcription providers, and others — represent access pathways that attackers actively probe, and a single vendor compromise can cascade across multiple healthcare clients simultaneously.
The human layer is now the primary attack surface. Across the breaches analyzed, the pattern is consistent: attackers are prioritizing credential theft and human manipulation over technical exploitation. This shift places pressure on training programs, identity management, and verification procedures rather than perimeter defenses alone.
Industry impact
Healthcare has ranked among the top sectors for data breach frequency and cost in successive years of DBIR reporting. IBM's Cost of a Data Breach Report has repeatedly placed healthcare at or near the top of all industries for per-record breach costs, a figure that has exceeded $10 million per incident in recent reporting cycles — roughly three times the cross-industry average.
The DBIR's longitudinal data shows social engineering as a rising proportion of initial access vectors across industries, and healthcare's specific exposure is amplified by workforce characteristics: high staff turnover, time-pressured clinical environments, and a large proportion of employees whose primary training is clinical rather than security-oriented. These factors make it harder to sustain consistent awareness and verification habits.
OCR enforcement data from HHS shows that business associate involvement in reportable breaches has grown steadily over the past decade, a trend the DBIR's vendor-breach findings extend and reinforce. Covered entities carry notification and remediation obligations even when the breach originates with a business associate, meaning the downstream compliance and financial exposure falls on the healthcare organization regardless of where the failure occurred.
What this means for independent practices
- Audit every active business associate agreement (BAA). Confirm that each vendor with PHI access has a current, signed BAA and that the agreement includes breach notification timelines consistent with HIPAA's requirements. - Test employee awareness with simulated phishing and pretexting scenarios. Generic annual training has limited effect against current social engineering tactics; periodic simulation exercises that reflect actual current attack patterns produce measurably better recognition rates.
- Implement multi-factor authentication across all systems that access PHI. Credential theft is the mechanism that most social engineering attacks are designed to produce; MFA disrupts the conversion of stolen credentials into unauthorized access.
- Establish a clear verbal verification protocol for any request involving credential changes, wire transfers, or PHI disclosures. A scripted callback procedure using a known, independently verified number can stop pretexting attacks that arrive by phone or email. - Review and limit vendor access to the minimum necessary. Business associates should have scoped, time-limited access only to the PHI required for their contracted function — not standing administrative access to full systems.
Independent practices that lack dedicated IT or security staff are disproportionately exposed to the trends the DBIR documents, because the same resource constraints that limit technical controls also limit the frequency and quality of staff training. The practical response is to treat employee verification habits and vendor access controls as ongoing operational disciplines — reviewed and tested on a regular cycle — rather than one-time compliance checkboxes. Practices that do so reduce the probability that a single successful phishing email or pretexting call translates into a reportable breach.
What would have prevented this
Security awareness training with simulation exercises: Generic annual training does not keep pace with evolving social engineering scripts. Regular simulated phishing and pretexting exercises, calibrated to current attack patterns, build the recognition habits that protect the human layer.
Multi-factor authentication (MFA) on all PHI-adjacent systems: MFA is the single most effective control against credential-based attacks. Requiring a second factor at login — even via time-based one-time passwords — prevents stolen passwords from being directly usable by attackers.
Role-based access controls (RBAC) with least-privilege enforcement: Limiting each user's and each vendor's access to only what their role requires means that a compromised account yields a narrower footprint. Broad standing access amplifies the damage from any single successful social engineering attack.
Third-party risk management and vendor access monitoring: Periodic security reviews of business associates, combined with logging and anomaly detection on vendor access sessions, allow practices to detect unusual activity originating from trusted third-party connections before it escalates into a confirmed breach.
Privileged access monitoring and just-in-time access provisioning: Accounts with elevated system privileges represent the highest-value targets for attackers who gain initial access through social engineering. Monitoring privileged sessions and issuing elevated access only for specific, time-bound tasks reduces the window of exposure if those credentials are compromised.