TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBER RISK Cybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables. Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks Ransomware and vendor breaches persist, but the 2026 Data Breach Investigations Report (DBIR) highlights how evolving social engineering tactics make the sector more vulnerable. Arielle Waldman,Features Writer,Dark Reading May 22, 2026 5 Min Read SOURCE: VERIZON BUSINESS' DATA BREACH INVESTIGATION REPORT As if physicians, doctors, and nurses didn't have enough daily stressors, a new report says they also face mounting social engineering attacks – many from threat actors emboldened by artificial intelligence (AI). The industry faces challenges stemming from ransomware, third-party vendor breaches, and social engineering, revealed Verizon Business’ 2026 Data Breach Investigations Report (DBIR). But while the first two are persistent threats, it seems social engineering against healthcare organizations picked up steam in 2025. Social engineering returned as one of the top three patterns attackers used in breaches, alongside system intrusion and miscellaneous errors. The three represented 81% of breaches, according to the report. More concerningly, attackers' social engineering tactics have significantly evolved. For the past 12 to 18 months, Chao Cheng-Shorland, co-founder and CEO of ShelterZoom, has seen more healthcare organizations grapple with advanced attacks that leverage AI-fueled social engineering to create a sense of urgency and catch people off-guard. That sense of urgency is already huge among healthcare professionals who need to make decisions in the snap of a finger. Related:Content Delivery Exploit Opens Websites to Brand Hijacking "Attackers have taken traditional phishing up a notch by using generative AI to create highly targeted, context-aware communications and malicious documents at scale," Cheng-Shorland tells Dark Reading. Not Just More Attacks, But More effective Ones Unfortunately, healthcare professionals are familiar with cyber threats. Attackers know the sector is vulnerable because of legacy machines, high-value data, and a stringent mission to provide uninterrupted patient care. The Health Information Sharing and Analysis Center (ISAC) continues to see social engineering as not only a persistent threat, but a highly effective one, explains CSO Errol Weiss. What separates healthcare is how well the schemes exploit operational urgency, complex supplier relationships, and high-value targets like credentials and patient data, he adds. "Based on member reporting and broader industry observations, these attacks have remained persistent and, in many organizations, feel 'resurgent' over the past year," Weiss tells Dark Reading. "The more important story isn't just volume; it's effectiveness." Threat actors have responded to improved email security by refining pretexts and tailoring lures to healthcare workflows including vendor billing, human resources (HR), IT access, and even clinical operations, adds Weiss. Related:How CISOs Should Prep for Agentic-Ready AI BOMs While social engineering is a known threat technique, it evolved alongside GenAI adoption, which enables threat actors to create more precise pretexting and higher-quality lures across the landscape – and that includes healthcare, agrees Sarah Sabotka, staff threat researcher at Proofpoint. However, Sabotka noted the apparent increase highlighted in Verizon's 2026 DBIR may be due to one good reason: Better reporting. She explains the 2025 DBIR flagged "Everything Else" as a top-three healthcare breach pattern due to minimal data availability in breach notifications, then social engineering replaced it in the top three in 2026. "As reporting quality improves, social engineering attacks that previously lacked sufficient detail to classify are now being accurately reported," Sabotka tells Dark Reading. “The 2026 figures may reflect better visibility as much as a genuine increase in activity.” AI Ups the Social Engineering Ante The rise of pretexting – faking identities or scenarios to manipulate a target into performing actions they would otherwise not undertake – is a common thread across Verizon's DBIR and a threat the experts all highlighted as well. With help from AI, it jumped to the number two spot among social actions in the report for healthcare breaches right behind phishing. Pretexting was not mentioned under healthcare in Verizon's DBIR 2025 or 2024. Related:What It'll Take to Make AI BOMs Usable in a Modern Security Program Proofpoint observed pretexting being used against all industries, including the healthcare sector, especially in fraud campaigns, adds Sabotka. "Pretexting can be very successful because the thoughtful construction of backstory enhances the believability of such carefully curated social engineering lures," she says. "Historically, we've observed most social engineering lures rely on urgency. Pretexting is different, as it aims to establish legitimacy and build trust with the target." Like any social engineering technique, pretexting is all about persuasion. This could entail impersonating HR or finance – anything to gain the target's trust. And like all other threats across the landscape, it evolved with AI. The biggest concern is that attackers now don't need to guess how an organization communicates, Cheng-Shorland explains. AI can ingest that data, learning from documents, contracts, presentations, and other files that organizations routinely share via email, she adds. Threat actors can use AI to analyze documents, writing styles, terminology, vendor relationships, and communication patterns to craft eerily convincing messages. "In healthcare, and other highly collaborative industries, this creates a dangerous feedback loop," Cheng-Shorland says. "The more sensitive content that is exposed, the more accurately attackers can impersonate executives, clinicians, business partners, and trusted vendors, making social engineering attacks significantly more difficult to detect." Attacking Trust, Not Just Tech The trends echo what Health-ISAC sees as well – a shift toward more targeted, impersonation driven, and multi-channel social manipulation. Threat actors use techniques like pretexting that lead to more "credible deception that aligns with how healthcare actually works," explains Weiss. "The [social engineering] evolution includes tighter personalization, more supplier/executive/helpdesk impersonation, and more emphasis on credential theft and session hijacking techniques, all designed to move quickly before teams can verify or respond," Weiss warns. The healthcare industry has its work cut out for them because "they’re more vulnerable than the baseline," the DBIR stated. Verizon recommended that organizations make phishing a top priority, extend multifactor authentication to protect VPN access, and implement continuous security awareness training. Weiss agrees that security measures should focus on layered identity controls and strong verification procedures that extend to sensitive requests, backed by rapid reporting and triage "because attackers are optimizing for human trust as much as technical weaknesses." About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations How Security Teams should apply Threat Intelligence into their Defenses More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBERATTACKS &