-

Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

New evidence shows Microsoft 365 may expose sensitive health information over email without encryption or notice—posing HIPAA compliance risks for providers

SAN FRANCISCO--(BUSINESS WIRE)--A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance.

Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance

Share

In a series of controlled TLS experiments, Paubox researchers found that Microsoft 365 may transmit messages in cleartext when encryption fails, without bouncing the message, alerting the sender, or logging any evidence of the failure. This occurred when messages were sent to recipient servers that did not support modern TLS protocols.

The messages in question contained simulated PHI and were sent in accordance with typical “force TLS” configurations that many IT leaders believe are sufficient for HIPAA compliance.

“Our team expected the message to bounce,” said Hoala Greevy, CEO of Paubox. “Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea.”

Microsoft’s fallback behavior directly contradicts the expectations outlined in HIPAA’s Security Rule (45 CFR §164.312(e)(1)), which requires technical safeguards to ensure PHI is protected in transit. If encryption fails, and there is no way to detect or prove it, healthcare organizations may be unknowingly transmitting PHI without the protections HIPAA requires.

According to the report:

  • Microsoft 365 will attempt TLS fallback—and if that fails, deliver in cleartext
  • No warning or notification is provided to the sender
  • Encryption failures are not recorded in any accessible audit trail
  • This behavior is the default, not a misconfiguration

Paubox also calls out broader issues with relying on force TLS settings in cloud platforms, calling the practice a “false sense of security that cannot be audited.”

Healthcare IT and compliance leaders are encouraged to review the findings and test their own environments.

The full report, How Microsoft and Google Put PHI at Risk, is available here: https://hubs.la/Q03v1MCR0

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Industry:

Paubox

Release Versions
English
Hashtags
#PHI
#cybersecurity
#emailsecurity
#encryption
#microsoft

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Social Media Profiles
Paubox on Facebook
Paubox on LinkedIn
Paubox on YouTube
More News From Paubox

Credential Theft Drives Most Damaging Healthcare Email Breaches Going Into 2026

SAN FRANCISCO--(BUSINESS WIRE)--Stolen login credentials led to the most damaging email-related healthcare breaches in 2025, exposing more than 630,000 patient records even though these attacks represented less than one-fifth of total email incidents, according to new research from Paubox. The healthcare email security company analyzed breach data reported to the U.S. Department of Health and Human Services throughout 2025 and identified three dominant email attack patterns responsible for 170...

Healthcare Email Is Being Delivered to Unverified Servers, New Paubox Data Shows

SAN FRANCISCO--(BUSINESS WIRE)--An estimated 3 million email addresses may be at risk of exposure to common cyberattacks, such as man-in-the-middle attacks, because email delivery often proceeds even when certificate validation fails. New research from Paubox found that encrypted email is routinely sent to servers with expired or self-signed certificates, preventing reliable verification of the recipient’s identity. In an analysis of outbound healthcare email traffic, Paubox found that approxim...

Even After an Email Breach, Most Healthcare Organizations Don’t Configure Their Email Correctly

SAN FRANCISCO--(BUSINESS WIRE)--Healthcare organizations may think they’re HIPAA compliant, but a new report from email security company Paubox shows that many are silently sending protected health information without encryption, many without even knowing it. What healthcare gets wrong about HIPAA and email security, calls out a dangerous disconnect: “Most healthcare organizations have policies and tools that appear to check every HIPAA box. The issue is a disconnect between configuration and v...
Back to Newsroom