Verizon DBIR: Healthcare Fights Rising Tide of AI-Powered Social Engineering Attacks
The 2026 Verizon DBIR finds social engineering attacks surged in healthcare, with AI-driven pretexting emerging as a top threat vector.
The 2026 Verizon Data Breach Investigations Report (DBIR) delivers a stark warning for the healthcare sector: social engineering attacks are not only increasing but becoming far more sophisticated, driven by generative artificial intelligence. While ransomware and third-party vendor breaches remain persistent dangers, the report identifies social engineering as one of the top three breach patterns alongside system intrusion and miscellaneous errors, collectively accounting for 81% of healthcare breaches.
Attackers have moved beyond generic phishing. The DBIR highlights a sharp rise in pretexting — fabricating identities or scenarios to manipulate targets — which jumped to the number two social action in healthcare breaches, behind only phishing. Pretexting was absent from the healthcare section of the 2024 and 2025 DBIR, underscoring how quickly the landscape has shifted. AI tools enable attackers to analyze an organization's internal documents, contracts, and communication styles, then craft eerily convincing lures that impersonate executives, clinicians, and trusted vendors.
Chao Cheng-Shorland, co-founder and CEO of ShelterZoom, told Dark Reading that attackers have taken traditional phishing up a notch by using generative AI to create highly targeted, context-aware communications at scale. The sense of urgency already baked into healthcare workflows — where split-second decisions are routine — makes the sector especially vulnerable to these evolved tactics. "The more sensitive content that is exposed, the more accurately attackers can impersonate… making social engineering attacks significantly more difficult to detect," he said.
The Health Information Sharing and Analysis Center (Health-ISAC) echoes these concerns. CSO Errol Weiss emphasized that the real story isn't just attack volume but effectiveness. Attackers have responded to improved email security by refining pretexts around vendor billing, HR, IT access, and even clinical operations. "The more important story isn't just volume; it's effectiveness," Weiss told Dark Reading, noting that members report social engineering feels "resurgent" over the past year.
Sarah Sabotka, staff threat researcher at Proofpoint, offered a nuanced reading of the DBIR findings. She acknowledged that better breach reporting may partially explain the apparent increase in social engineering incidents. The 2025 DBIR classified many healthcare breaches as "Everything Else" due to insufficient data; as notification quality improves, previously unclassified social engineering attacks are now being accurately captured. Still, she agrees that AI-fueled pretexting is a genuine and growing threat across industries.
The implications for healthcare are profound. The sector already grapples with legacy systems, high-value patient data, and an imperative to maintain uninterrupted care. AI-enhanced social engineering attacks exploit these operational pressures directly, targeting trust rather than just technology. As the line between legitimate communication and malicious impersonation blurs, healthcare organizations must invest in workforce training, AI-detection tools, and robust verification processes — because the attackers are already using AI to get inside the door.