Why Phishing Is Still the Main Way Small Healthcare Practices Get Hit

5 min read Brian Berge · Independent insurance agent in Arden Hills, MN
Healthcare Cyber Liability

Q: Why is phishing still the main way small healthcare practices get hit? A: Because phishing goes after busy people, not just software, and one compromised inbox can turn into downtime, HIPAA response, and ransom pressure fast.

Start here: Cyber & Modern Operational Risk

In the Twin Cities, smaller practices usually route scheduling, billing, and vendor coordination through a handful of people, so one compromised inbox can slow the whole office by lunch.

The ordinary way it starts

It usually does not start with a hooded genius pounding away in a basement.

It starts with an email that looks close enough.

A staff member is moving fast. The waiting room is not empty. Someone needs a chart, someone else needs a claim fixed, and an email shows up that looks like it came from a vendor, a doctor, or the payment processor. One click later, the practice has a people problem, not just a computer problem.

If you want the broader frame first, start with Healthcare Practices and Cyber & Modern Operational Risk. If you want the vendor side of the same issue, read What Your EHR Vendor Covers — and What Your Practice Still Owns Under HIPAA.

What’s really going on

Phishing still works because small practices run on trust and speed.

That is not sloppiness. That is how the day is built.

Front-desk staff open attachments. Office managers approve invoices. Doctors answer messages between patients. Hygienists, assistants, billers, and admin staff all touch systems that matter. A criminal does not need to break the whole network if one login gets them into email, cloud storage, a payment platform, or an EHR session that never got closed properly.

That is why phishing keeps beating purely technical controls. It uses the busy part of the office against itself.

Why healthcare gets hit this way

Small practices have a few traits that make phishing more productive than people like to admit.

  • The work is interruption-heavy.
    When phones ring, patients check in, and billing questions pile up, staff make decisions fast. Fast is where fake emails blend in.

  • The systems overlap.
    Email touches scheduling, billing, referrals, scanned records, payment questions, and vendor notices. One compromised inbox is not “just email.”

  • The office often leans on a small bench.
    In a lot of Twin Cities practices, the same person is handling calls, calendars, vendor follow-up, and claim cleanup. That means one account takeover can create operational drag almost immediately.

  • Cloud software changes the shape of the risk, not the existence of it.
    Dentrix, Eaglesoft, ChiroTouch, and similar systems may host the application well enough. That does not stop an attacker from using your credentials, your mailbox, or your payment workflow against you.

That last point matters. People hear “cloud” and translate it into “safe enough.” That is a little too generous.

Where the damage actually shows up

The clicked email is the opening scene. The loss comes later.

Maybe the attacker pulls data. Maybe they reset passwords. Maybe they send messages from a trusted mailbox. Maybe they pivot into a cloud app and lock the office out. Maybe they sit quietly for a while and wait for a payment change request that looks ordinary.

However it unfolds, the money usually goes in familiar places:

  • outside IT or forensics to figure out what happened
  • legal review to sort out whether PHI was exposed and what notice is required
  • downtime while schedules, charts, and billing get unreliable
  • patient communication if the event turns into a breach
  • extortion or restoration expense if ransomware joins the party

The math gets unpleasant faster than most owners expect.

If notice and support average even $8 to $15 per affected patient, then 1,500 patient records creates roughly $12,000 to $22,500 of cost before you count real downtime. Add outside response costs and the bill can climb into the kind of range that makes a small endorsement feel pretty small.

That is why phishing matters even when nothing cinematic happens.

What people get wrong

The first mistake is treating phishing like a training issue and only a training issue.

Training helps. So do filters, MFA, and sane payment controls. But the real question is larger: if someone still gets through, who pays for the office-level mess afterward?

The second mistake is assuming the software vendor will solve it because their platform is involved. Sometimes the platform is barely the story. The event may start in your email, your credentials, or your payment process and then spill into patient data. That is practice liability, not vendor magic.

The third mistake is thinking a small cyber add-on automatically matches a healthcare event. Sometimes it helps. Sometimes it is a short blanket on a cold night. That is why Standalone Cyber vs. BOP Cyber Endorsements for Small Healthcare Practices matters, and why HIPAA Breach Notification Costs: Where the Money Actually Goes is worth reading right after this.

Simple decision rule

If one compromised inbox could touch PHI, scheduling, billing, or payment instructions, then phishing is not a side risk for the practice.

It is the main cyber scenario.

Build around that first. Train for it. Put MFA where it actually matters. Tighten payment approval steps. Then make sure the policy structure can pay for the office-level response when a bad email gets through anyway.

Next step

Pull one recent suspicious email, your MFA setup, and your cyber coverage summary into the same conversation. That tends to tell the truth pretty quickly.

Minnesota note: smaller metro practices often do not feel a phishing loss as “a cyber event” at first. They feel it as phones backing up, claims slowing down, and one office manager trying to hold three loose wires together at once.

Related articles