As if physicians, doctors, and nurses didn’t have enough daily stressors, a new report says they also face mounting social engineering attacks — many from threat actors emboldened by artificial intelligence (AI).

The industry faces challenges stemming from ransomware, third-party vendor breaches, and social engineering, according to Verizon Business’ “2026 Data Breach Investigations Report” (DBIR). But while the first two threats have been persistent, it seems social engineering against healthcare organizations picked up steam and returned as one of the top three patterns attackers used in breaches, alongside system intrusion and miscellaneous errors. The three represented 81% of breaches, the report shows. 

More concerningly, attackers’ social engineering tactics have evolved significantly. Chao Cheng-Shorland, co-founder and CEO of ShelterZoom, tells Dark Reading that for the past 12 to 18 months she has seen more healthcare organizations grapple with advanced attacks that leverage AI-fueled social engineering to create a sense of urgency and catch people off guard.  

Related:As Global Powers Explore Humanoid Robots, Cyber-Risk Looms

“Attackers have taken traditional phishing up a notch by using generative AI to create highly targeted, context-aware communications, and malicious documents at scale,” Cheng-Shorland says. 

Not Just More Attacks, But More Effective Ones

Healthcare professionals are all too familiar with cyber threats. Attackers know the sector is vulnerable because of legacy machines, high-value data, and a stringent mission to provide uninterrupted patient care. 

The Health Information Sharing and Analysis Center (ISAC) continues to see social engineering as a highly effective, persistent threat, says CSO Errol Weiss. What separates healthcare is how well the schemes exploit operational urgency, complex supplier relationships, and high-value targets like credentials and patient data, he adds.

“Based on member reporting and broader industry observations, these attacks have remained persistent and, in many organizations, feel ‘resurgent’ over the past year,” Weiss tells Dark Reading. “The more important story isn’t just volume; it’s effectiveness.” 

Threat actors have responded to improved email security by refining pretexts and tailoring lures to healthcare workflows, including vendor billing, human resources, IT access, and even clinical operations, he adds. 

While social engineering is a known threat technique, it evolved alongside GenAI adoption, which enables threat actors to create more precise pretexting and higher-quality lures, says Sarah Sabotka, staff threat researcher at Proofpoint. However, the apparent increase highlighted in Verizon’s 2026 DBIR may be due to one good reason: better reporting. Last year’s DBIR flagged “Everything Else” as a top-three healthcare breach pattern due to minimal data availability in breach notifications, she notes. Then social engineering replaced it in the top three in 2026. 

Related:Dutch Raid Fails to Dent Russian Bulletproof Host

“As reporting quality improves, social engineering attacks that previously lacked sufficient detail to classify are now being accurately reported,” Sabotka tells Dark Reading. “The 2026 figures may reflect better visibility as much as a genuine increase in activity.” 

AI Ups the Social Engineering Ante

The rise of pretexting — faking identities or scenarios to manipulate a target into performing actions they would otherwise not undertake — is a common thread across Verizon’s DBIR; it’s a threat the experts all highlight as well. With help from AI, pretexting jumped to the No. 2 spot among social actions in the report for healthcare breaches, right behind phishing. Pretexting was not mentioned under healthcare in Verizon’s DBIR 2025 or 2024 reports. 

Proofpoint has observed pretexting being used against all industries, including the healthcare sector, especially in fraud campaigns, Sabotka says.  

Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security

“Pretexting can be very successful because the thoughtful construction of a back story enhances the believability of such carefully curated social engineering lures,” she says. “Historically, we’ve observed most social engineering lures rely on urgency. Pretexting is different, as it aims to establish legitimacy and build trust with the target.”

Like any social engineering technique, pretexting is about persuasion. This could entail impersonating HR or finance — anything to gain the target’s trust. And like all other threats across the landscape, it has evolved with AI. 

The biggest concern is that attackers don’t need to guess how an organization communicates, Cheng-Shorland explains. AI can ingest that data, learning from documents, contracts, presentations, and other files that organizations routinely share via email, she says. Threat actors can use AI to analyze documents, writing styles, terminology, vendor relationships, and communication patterns to craft eerily convincing messages.

“In healthcare and other highly collaborative industries, this creates a dangerous feedback loop,” Cheng-Shorland says. “The more sensitive content that is exposed, the more accurately attackers can impersonate executives, clinicians, business partners, and trusted vendors, making social engineering attacks significantly more difficult to detect.” 

Attacking Trust, Not Just Tech

The trends echo what Health-ISAC sees as well — a shift toward more targeted, impersonation driven, and multichannel social manipulation. Threat actors use techniques like pretexting that lead to more “credible deception that aligns with how healthcare actually works,” Weiss explains.

“The [social engineering] evolution includes tighter personalization, more supplier/executive/help-desk impersonation, and more emphasis on credential theft and session-hijacking techniques, all designed to move quickly before teams can verify or respond,” Weiss says. 

The healthcare industry has its work cut out for it because “they’re more vulnerable than the baseline,” the DBIR states. Verizon recommends that organizations make phishing a top priority, extend multifactor authentication to protect VPN access, and implement continuous security awareness training. 

Weiss agrees that security measures should focus on layered identity controls and strong verification procedures that extend to sensitive requests and are backed by rapid reporting and triage.

 “Attackers are optimizing for human trust as much as technical weaknesses,” she says.





Source link

#

Comments are closed