New Research: Healthcare Company Emails Put Patients at Risk

In a recent study, Return Path found that only 12% of the top healthcare brands in the US are being proactive when it comes to protecting their customers, brand reputation, and bottom line from email attacks. This is especially troubling given how heavily the healthcare industry is targeted by cybercriminals.

Medical data—worth 10 times more than a credit card number on the black market—is extremely valuable to fraudsters. The average payout for a medical identify theft is about $20,000, compared to $2,000 for a regular identity theft, according to RSA.

Greater value means more attacks. Just consider these stats:

Phishers often capitalize on the breaking news of a massive data breach. Anthem, for instance, experienced a flood of phishing scams targeting their customers just hours after they publicly announced the data breach we are now all familiar with.



Healthcare companies can’t rely on unassuming customers to spot fraudulent emails like these; 97% of people around the globe cannot identify a sophisticated phishing message.

But healthcare companies can prevent these malicious emails from ever reaching their customer’s inbox in the first place. The problem is, they’re not.

Only 12% of top US healthcare brands are securing email
Return Path analyzed 1,192,786 total messages from 40 of the top healthcare brands in North America, looking specifically at email authentication standard implementation for SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting and Conformance).

79% of the messages we analyzed did not have an SPF record published for the primary sending domains, which means fraudsters can use it to send malicious messages to unsuspecting customers.  Of those that did have an SPF record, only 21% passed SPF, which indicates that these brands lack visibility and control over their email authentication and/or emails are being sent from IP addresses not authorized by the brand.

Only 12%—five out of the 40 brands—had implemented a DMARC record. This means cybercriminals can spoof any owned sending domain not protected by DMARC in the “From” field, tricking customers into giving up confidential personal and health information.

This trend holds true around the globe. Back in February 2015, Return Path analyzed over 1,000 of the world’s largest brands across 31 countries to look at DMARC adoption rates by region and industry sector. The healthcare industry’s DMARC adoption rate was remarkably lagging, the lowest of all sectors at 8%.

The bottom line is that healthcare organizations simply aren’t doing enough to protect their customers. That’s why we wrote The Healthcare Guide to Email Fraud. In it, we’ll dive into best practices for securing outbound email and protecting patients, brand reputation, and business outcomes.

Get your copy here.


minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time