An independent cybersecurity review across the largest healthcare payers in the United States — national health insurers, Blue Cross plans, and managed-care organizations including UnitedHealthcare, Elevance Health, and Cigna — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each payer’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 78% to 44% — 6 of 18 (33%) scored below 60%.
Cybersecurity Scores of Healthcare Payers
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Healthcare Payer | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Cigna | cigna.com | 78% | Strong |
| 2 | Molina Healthcare | molinahealthcare.com | 71% | Strong |
| 2 | Health Care Service Corp | hcsc.com | 71% | Strong |
| 4 | Elevance Health | elevancehealth.com | 70% | Strong |
| 4 | Humana | humana.com | 70% | Strong |
| 4 | Centene | centene.com | 70% | Strong |
| 7 | Oscar Health | hioscar.com | 68% | Good |
| 8 | UnitedHealth Group | unitedhealthgroup.com | 65% | Good |
| 9 | Highmark | highmark.com | 64% | Above Average |
| 10 | Aetna | aetna.com | 62% | Above Average |
| 11 | UnitedHealthcare | uhc.com | 61% | Above Average |
| 12 | Independence Blue Cross | ibx.com | 60% | Above Average |
| 13 | Florida Blue | floridablue.com | 54% | Below Average |
| 13 | Blue Cross Blue Shield MA | bcbsma.com | 54% | Below Average |
| 13 | Clover Health | cloverhealth.com | 54% | Below Average |
| 13 | Point32Health | point32health.org | 54% | Below Average |
| 13 | GuideWell | guidewell.com | 54% | Below Average |
| 18 | Kaiser Permanente | kp.org | 44% | Weak |
What the Results Reveal
- Scores range from 78% (Cigna) down to 44% (Kaiser Permanente) — 6 payers reach a strong (70%+) posture, led by Cigna at 78%.
- Several Blue Cross affiliates and regional plans cluster near 54%, while Molina (71%), HCSC (71%), and Centene (70%) lead the managed-care segment.
- Kaiser Permanente (44%) — one of the largest integrated payers — trails nearly every standalone insurer on basic email authentication.
- Without an enforced DMARC policy, criminals can spoof a payer’s own domain to phish members about benefits, EOBs, or premium payments.
Why This Matters for Healthcare Payers
Health insurers and managed-care organizations are bound by HIPAA security rules, HHS oversight, and state insurance department requirements. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against member phishing, benefits fraud, and business email compromise targeting enrollment and claims data.
Check any payer’s posture at audit.emailmenow.com/?industry=healthcare-systems.
See also — state audits
- Texas Healthcare Systems
- California Healthcare Systems
- Florida Healthcare Systems
- Illinois Healthcare Systems
- New York Healthcare Systems
- Pennsylvania Healthcare Systems
- Ohio Healthcare Systems
- Georgia Healthcare Systems
- Michigan Healthcare Systems
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=healthcare-systems.
Contact EmailMeNow IT Consulting for help with HIPAA-aligned email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.