-

Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

New evidence shows Microsoft 365 may expose sensitive health information over email without encryption or notice—posing HIPAA compliance risks for providers

SAN FRANCISCO--(BUSINESS WIRE)--A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance.

Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance

Share

In a series of controlled TLS experiments, Paubox researchers found that Microsoft 365 may transmit messages in cleartext when encryption fails, without bouncing the message, alerting the sender, or logging any evidence of the failure. This occurred when messages were sent to recipient servers that did not support modern TLS protocols.

The messages in question contained simulated PHI and were sent in accordance with typical “force TLS” configurations that many IT leaders believe are sufficient for HIPAA compliance.

“Our team expected the message to bounce,” said Hoala Greevy, CEO of Paubox. “Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea.”

Microsoft’s fallback behavior directly contradicts the expectations outlined in HIPAA’s Security Rule (45 CFR §164.312(e)(1)), which requires technical safeguards to ensure PHI is protected in transit. If encryption fails, and there is no way to detect or prove it, healthcare organizations may be unknowingly transmitting PHI without the protections HIPAA requires.

According to the report:

  • Microsoft 365 will attempt TLS fallback—and if that fails, deliver in cleartext
  • No warning or notification is provided to the sender
  • Encryption failures are not recorded in any accessible audit trail
  • This behavior is the default, not a misconfiguration

Paubox also calls out broader issues with relying on force TLS settings in cloud platforms, calling the practice a “false sense of security that cannot be audited.”

Healthcare IT and compliance leaders are encouraged to review the findings and test their own environments.

The full report, How Microsoft and Google Put PHI at Risk, is available here: https://hubs.la/Q03v1MCR0

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Industry:

Paubox

Release Versions
English
Hashtags
#PHI
#cybersecurity
#emailsecurity
#encryption
#microsoft

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Social Media Profiles
Paubox on Facebook
Paubox on LinkedIn
Paubox on YouTube
More News From Paubox

Nearly 75% of Healthcare Organizations Breached Through Email in 2025 Lacked Basic Authentication Protections, Paubox Report Finds

SAN FRANCISCO--(BUSINESS WIRE)--Of the 170 email-related healthcare breaches that were reported to the HHS in 2025, nearly three quarters had no effective policy to stop spoofed emails from reaching employee inboxes. Over half failed to verify whether incoming messages came from authorized senders. Those findings come from the 2026 Healthcare Email Security Report, published today by Paubox, a HIPAA compliant email security company. The report analyzed 170 email-related breach incidents disclos...

Paubox Named Best Email Encryption Software in G2’s 2026 Best Software Awards

SAN FRANCISCO--(BUSINESS WIRE)--Paubox, the leading provider of HIPAA compliant email security, has been named the best email encryption software by G2 in its 2026 Best Healthcare Software Products Awards. It’s the second consecutive year Paubox has earned a spot on the awards, which rank the world’s top software based entirely on verified user reviews. G2 is the world’s largest and most trusted software marketplace, reaching more than 100 million buyers annually. Less than 1% of the over 175,0...

Credential Theft Drives Most Damaging Healthcare Email Breaches Going Into 2026

SAN FRANCISCO--(BUSINESS WIRE)--Stolen login credentials led to the most damaging email-related healthcare breaches in 2025, exposing more than 630,000 patient records even though these attacks represented less than one-fifth of total email incidents, according to new research from Paubox. The healthcare email security company analyzed breach data reported to the U.S. Department of Health and Human Services throughout 2025 and identified three dominant email attack patterns responsible for 170...
Back to Newsroom