Verizon DBIR: Healthcare Fends Off Social Engineering Attacks TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskCybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables.Verizon DBIR: Healthcare Fends Off Increased Social Engineering AttacksRansomware and vendor breaches persist, but the 2026 Data Breach Investigations Report (DBIR) highlights how evolving social engineering tactics make the sector more vulnerable.Arielle Waldman,Features Writer,Dark ReadingMay 22, 20265 Min ReadSource: Verizon Business' Data Breach Investigation ReportAs if physicians, doctors, and nurses didn't have enough daily stressors, a new report says they also face mounting social engineering attacks – many from threat actors emboldened by artificial intelligence (AI).The industry faces challenges stemming from ransomware, third-party vendor breaches, and social engineering, revealed Verizon Business’ 2026 Data Breach Investigations Report (DBIR). But while the first two are persistent threats, it seems social engineering against healthcare organizations picked up steam in 2025. Social engineering returned as one of the top three patterns attackers used in breaches, alongside system intrusion and miscellaneous errors. The three represented 81% of breaches, according to the report. More concerningly, attackers' social engineering tactics have significantly evolved. For the past 12 to 18 months, Chao Cheng-Shorland, co-founder and CEO of ShelterZoom, has seen more healthcare organizations grapple with advanced attacks that leverage AI-fueled social engineering to create a sense of urgency and catch people off-guard. That sense of urgency is already huge among healthcare professionals who need to make decisions in the snap of a finger. Related:Content Delivery Exploit Opens Websites to Brand Hijacking"Attackers have taken traditional phishing up a notch by using generative AI to create highly targeted, context-aware communications and malicious documents at scale," Cheng-Shorland tells Dark Reading. Not Just More Attacks, But More effective OnesUnfortunately, healthcare professionals are familiar with cyber threats. Attackers know the sector is vulnerable because of legacy machines, high-value data, and a stringent mission to provide uninterrupted patient care. The Health Information Sharing and Analysis Center (ISAC) continues to see social engineering as not only a persistent threat, but a highly effective one, explains CSO Errol Weiss. What separates healthcare is how well the schemes exploit operational urgency, complex supplier relationships, and high-value targets like credentials and patient data, he adds."Based on member reporting and broader industry observations, these attacks have remained persistent and, in many organizations, feel 'resurgent' over the past year," Weiss tells Dark Reading. "The more important story isn't just volume; it's effectiveness." Threat actors have responded to improved email security by refining pretexts and tailoring lures to healthcare workflows including vendor billing, human resources (HR), IT access, and even clinical operations, adds Weiss. Related:How CISOs Should Prep for Agentic-Ready AI BOMsWhile social engineering is a known threat technique, it evolved alongside GenAI adoption, which enables threat actors to create more precise pretexting and higher-quality lures across the landscape – and that includes healthcare, agrees Sarah Sabotka, staff threat researcher at Proofpoint.  However, Sabotka noted the apparent increase highlighted in Verizon's 2026 DBIR may be due to one good reason: Better reporting.  She explains the 2025 DBIR flagged "Everything Else" as a top-three healthcare breach pattern due to minimal data availability in breach notifications, then social engineering replaced it in the top three in 2026. "As reporting quality improves, social engineering attacks that previously lacked sufficient detail to classify are now being accurately reported," Sabotka tells Dark Reading. “The 2026 figures may reflect better visibility as much as a genuine increase in activity.” AI Ups the Social Engineering AnteThe rise of pretexting – faking identities or scenarios to manipulate a target into performing actions they would otherwise not undertake – is a common thread across Verizon's DBIR and a threat the experts all highlighted as well. With help from AI, it jumped to the number two spot among social actions in the report for healthcare breaches right behind phishing. Pretexting was not mentioned under healthcare in Verizon's DBIR 2025 or 2024. Related:What It'll Take to Make AI BOMs Usable in a Modern Security ProgramProofpoint observed pretexting being used against all industries, including the healthcare sector, especially in fraud campaigns, adds Sabotka.  "Pretexting can be very successful because the thoughtful construction of backstory enhances the believability of such carefully curated social engineering lures," she says. "Historically, we've observed most social engineering lures rely on urgency. Pretexting is different, as it aims to establish legitimacy and build trust with the target."Like any social engineering technique, pretexting is all about persuasion. This could entail impersonating HR or finance – anything to gain the target's trust. And like all other threats across the landscape, it evolved with AI. The biggest concern is that attackers now don't need to guess how an organization communicates, Cheng-Shorland explains. AI can ingest that data, learning from documents, contracts, presentations, and other files that organizations routinely share via email, she adds. Threat actors can use AI to analyze documents, writing styles, terminology, vendor relationships, and communication patterns to craft eerily convincing messages."In healthcare, and other highly collaborative industries, this creates a dangerous feedback loop," Cheng-Shorland says. "The more sensitive content that is exposed, the more accurately attackers can impersonate executives, clinicians, business partners, and trusted vendors, making social engineering attacks significantly more difficult to detect." Attacking Trust, Not Just TechThe trends echo what Health-ISAC sees as well – a shift toward more targeted, impersonation driven, and multi-channel social manipulation. Threat actors use techniques like pretexting that lead to more "credible deception that aligns with how healthcare actually works," explains Weiss."The [social engineering] evolution includes tighter personalization, more supplier/executive/helpdesk impersonation, and more emphasis on credential theft and session hijacking techniques, all designed to move quickly before teams can verify or respond," Weiss warns. The healthcare industry has its work cut out for them because "they’re more vulnerable than the baseline," the DBIR stated. Verizon recommended that organizations make phishing a top priority, extend multifactor authentication to protect VPN access, and implement continuous security awareness training. Weiss agrees that security measures should focus on layered identity controls and strong verification procedures that extend to sensitive requests, backed by rapid reporting and triage "because attackers are optimizing for human trust as much as technical weaknesses." About the AuthorArielle WaldmanFeatures Writer, Dark ReadingArielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.    She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.   See more from Arielle WaldmanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsHow Security Teams should apply Threat Intelligence into their DefensesMore WebinarsEdge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsCyber RiskBrowser Extensions Pose Heightened, but Manageable, Security RisksBrowser Extensions Pose Heightened, but Manageable, Security RisksLatest Articles in The EdgeCyberattacks & Data BreachesProcesses & Culture Top Reasons Behind Data BreachesMay 20, 2026|6 Min ReadCyber RiskHow CISOs Should Prep for Agentic-Ready AI BOMsMay 20, 2026|11 Min ReadCybersecurity AnalyticsWhat Will Make AI BOMs Real?May 19, 2026|3 Min ReadCyber RiskCheckbox Assessments Aren't Fit to Measure RiskMay 13, 2026|5 Min ReadRead More The EdgeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The 2026 Data Breach Investigations Report from Verizon highlights the persistent and evolving threat of social engineering against the healthcare sector, which is compounded by the rise of artificial intelligence. While ransomware and third-party vendor breaches remain ongoing threats, social engineering emerged as a critical pattern in healthcare breaches, accounting for 81 percent of incidents, alongside system intrusion and miscellaneous errors. This finding suggests that social engineering tactics have intensified significantly over the past year, particularly targeting healthcare organizations due to their specific operational characteristics.

The evolution of these attacks is strongly linked to the adoption of generative AI. Threat actors are now leveraging AI to create more sophisticated and effective social engineering schemes, such as highly targeted, context-aware communications and malicious documents at scale. This advancement allows attackers to exploit the high-pressure environments within healthcare, where professionals face intense decision-making demands, by generating a sense of urgency that can bypass critical thinking.

A significant vector in these advanced attacks is pretexting, which involves faking identities or scenarios to establish legitimacy and build trust with targets, rather than relying solely on urgency. Attackers employ AI to refine pretexting by ingesting vast amounts of organizational data, including emails, contracts, and communication patterns. This allows them to analyze writing styles, terminology, and established vendor or executive relationships to craft messages that are eerily convincing. As noted by Chao Cheng-Shorland, this capability enables attackers to impersonate clinicians, executives, and trusted vendors with greater accuracy, deepening the vulnerability by exploiting the complex stakeholder relationships inherent in healthcare operations.

This evolution indicates a shift in the attack focus from simple phishing to more nuanced impersonation that aligns with actual healthcare workflows, including vendor billing, human resources, and clinical operations. The Health Information Sharing and Analysis Center observes this trend, noting that social engineering now involves more targeted, impersonation-driven, and multi-channel manipulation designed to move quickly before verification can occur.

Furthermore, the context of the healthcare environment exacerbates the risk. As explained by Errol Weiss, the schemes become highly effective because they exploit operational urgency, intricate supplier relationships, and the high value of targets like credentials and patient data. Attackers can successfully exploit these structural and human elements by impersonating various roles to gain access to sensitive information, underscoring that the effectiveness of the attack lies in manipulating human trust as much as exploiting technical weaknesses.

Researchers observe that improvements in reporting quality may contribute to the increased figures seen in the report. The 2025 report flagged other categories as top breach patterns due to limited data availability, but social engineering replaced these categories in the 2026 figures as reporting visibility has improved. Consequently, the increased volume of reported social engineering incidents may reflect better detection rather than an absolute escalation in attack frequency.

In response to these threats, the Verizon DBIR recommends a layered defense strategy for healthcare organizations. These recommendations emphasize prioritizing phishing prevention, extending multifactor authentication to protect access points such as VPNs, and implementing continuous security awareness training. Critically, security measures must shift focus toward layered identity controls and robust verification procedures for sensitive requests, ensuring that protocols for rapid reporting and triage are established because attackers are optimizing for human trust.