Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks

Healthcare professionals, including physicians, doctors, and nurses, are now contending with a growing wave of social engineering attacks—many of which are enhanced by advancements in artificial intelligence (AI).

According to Verizon Business' "2026 Data Breach Investigations Report" (DBIR), the healthcare sector is grappling with significant challenges, including ransomware attacks, vendor breaches, and an increase in social engineering tactics. While ransomware and vendor-related threats have consistently posed risks, social engineering has resurfaced as a leading breach method, ranking among the top three alongside system intrusion and miscellaneous errors. Collectively, these three categories accounted for 81% of all breaches, as indicated in the report.

Most alarming is the evolution in attackers’ social engineering strategies. Chao Cheng-Shorland, co-founder and CEO of ShelterZoom, notes that over the past year and a half, an increasing number of healthcare organizations have reported facing sophisticated attacks that utilize AI-driven social engineering techniques to create urgency, consequently catching individuals off guard.

"Attackers have enhanced traditional phishing schemes by leveraging generative AI to craft highly targeted, context-aware communications and malicious documents on a larger scale," Cheng-Shorland explains.

Not Just More Attacks, But More Effective Ones

Healthcare professionals have a well-documented awareness of cyber threats. Attackers often target this sector due to its intrinsic vulnerabilities, which include outdated technology, the presence of valuable data, and the critical need for uninterrupted patient care.

Errol Weiss, CSO of the Health Information Sharing and Analysis Center (ISAC), emphasizes that social engineering remains a significant and enduring threat. The unique aspects of healthcare—such as operational urgency, complex supplier relationships, and high-value targets including credentials and patient data—make it particularly susceptible to these schemes.

"Based on member reports and broader industry trends, these attacks have not only remained consistent, but they feel markedly 'resurgent' in various organizations over the past year," Weiss states. "The key takeaway is not merely the volume of attacks but their effectiveness."

As improvements in email security have taken place, threat actors have adapted by refining their pretexts and customizing their approaches to align with healthcare workflows, which encompass vendor billing, human resources, IT access, and clinical operations.

While social engineering is an established threat technique, it has advanced in conjunction with the adoption of generative AI, facilitating the creation of more precise pretexts and higher-quality lures, according to Sarah Sabotka, a staff threat researcher at Proofpoint. She notes that the rise in attacks highlighted in Verizon’s 2026 DBIR could be attributed to enhanced reporting mechanisms. Last year’s report categorized “Everything Else” as a primary breach pattern due to a lack of detailed data in breach notifications. Social engineering has since taken its place among the top three categories in the 2026 report.

"As reporting standards improve, social engineering attacks that previously lacked sufficient detail for classification are now receiving accurate identification," Sabotka explains. "The 2026 figures may signify better visibility rather than a substantial upturn in actual activity."

AI Ups the Social Engineering Ante

Pretexting, which involves fabricating identities or circumstances to manipulate targets into actions they would typically avoid, is prominently featured in Verizon's current DBIR and is highlighted by experts as a critical threat. With AI assistance, pretexting has ascended to the second most utilized social engineering tactic in healthcare breaches, just behind phishing. Notably, pretexting was absent from both the 2025 and 2024 DBIR reports concerning healthcare.

Proofpoint has noted that pretexting is increasingly deployed across various industries, healthcare included, primarily in fraud-related campaigns, as Sabotka remarks.

"Pretexting is particularly effective due to the careful construction of narratives that enhance the credibility of such meticulously crafted social engineering lures," she observes. "Historically, many social engineering tactics rely heavily on urgency. In contrast, pretexting focuses on establishing a degree of legitimacy and building trust with the target."

As with all social engineering methods, pretexting hinges upon persuasion. This could involve impersonating figures from HR or finance—anything designed to foster trust with the target. As with other threats currently facing the landscape, pretexting has also evolved alongside AI.

A significant concern is that attackers no longer need to infer how an organization communicates, as Cheng-Shorland points out. AI can assimilate this information, drawing from documents, contracts, presentations, and other files that organizations commonly share via email. Threat actors can utilize AI to examine documents, writing styles, terminology, vendor connections, and communication practices to produce seemingly authentic messages.

"In healthcare and similarly collaborative industries, this creates a perilous feedback loop," Cheng-Shorland warns. "The more sensitive content that is disclosed, the better equipped attackers become to impersonate executives, clinicians, business partners, and trusted vendors, which in turn makes detecting social engineering efforts considerably more challenging."

Attacking Trust, Not Just Tech

The trends observed align with the findings from Health-ISAC, noting a transition towards more targeted, impersonation-driven, and multichannel social manipulation. Threat actors employ tactics such as pretexting, resulting in a heightened level of "credible deception that resonates with the operational realities of healthcare," Weiss explains.

"The evolution of social engineering encompasses tighter personalization, more impersonation of suppliers, executives, and help desk representatives, and a greater emphasis on credential theft and session hijacking, all designed to expedite actions before teams have the opportunity to verify or respond," Weiss states.

The healthcare sector faces significant challenges as it is considered "more vulnerable than the baseline," according to the DBIR. Verizon advises organizations to prioritize phishing defenses, expand multifactor authentication for VPN access, and implement ongoing security awareness training.

Weiss agrees that security strategies should emphasize layered identity controls and robust verification procedures for sensitive requests, bolstered by prompt reporting and triage measures.

"Attackers are focusing on cultivating human trust as much as they exploit technical vulnerabilities," she concludes.