Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks

The 2026 Verizon DBIR highlights a turning point for cyber risk in the health sector. While ransomware and third‑party breaches have long dominated headlines, social engineering has clawed back a top‑three position, driven by generative AI that can mimic the tone, terminology, and document styles of hospitals and clinics. This technological edge allows threat actors to produce convincing phishing emails, malicious attachments, and pretexting scenarios at scale, turning routine operational urgency into a weaponized entry point for credential theft and data exfiltration.

Pretexting, once a niche tactic, now ranks second only to phishing among social actions targeting health organizations. By ingesting contracts, patient‑care protocols, and internal communications, AI models can fabricate believable narratives—such as fake HR payroll requests or vendor invoice approvals—that align perfectly with daily workflows. The result is a higher conversion rate for attacks, as staff are less likely to question messages that appear to come from trusted sources. This shift underscores a broader industry challenge: defending not just the network perimeter but also the human decision‑making process that underpins clinical and administrative operations.

In response, experts and the DBIR recommend a layered defense strategy. Extending multifactor authentication to VPN and remote‑access portals, automating verification of high‑risk requests, and deploying continuous, scenario‑based security awareness programs can blunt the human factor that attackers exploit. Moreover, improving breach reporting standards will help differentiate genuine attack growth from better visibility. As AI tools become more accessible, health providers must treat social engineering as a strategic priority, integrating technology, policy, and training to safeguard patient data and maintain operational resilience.