-

Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

New evidence shows Microsoft 365 may expose sensitive health information over email without encryption or notice—posing HIPAA compliance risks for providers

SAN FRANCISCO--(BUSINESS WIRE)--A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance.

Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance

Share

In a series of controlled TLS experiments, Paubox researchers found that Microsoft 365 may transmit messages in cleartext when encryption fails, without bouncing the message, alerting the sender, or logging any evidence of the failure. This occurred when messages were sent to recipient servers that did not support modern TLS protocols.

The messages in question contained simulated PHI and were sent in accordance with typical “force TLS” configurations that many IT leaders believe are sufficient for HIPAA compliance.

“Our team expected the message to bounce,” said Hoala Greevy, CEO of Paubox. “Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea.”

Microsoft’s fallback behavior directly contradicts the expectations outlined in HIPAA’s Security Rule (45 CFR §164.312(e)(1)), which requires technical safeguards to ensure PHI is protected in transit. If encryption fails, and there is no way to detect or prove it, healthcare organizations may be unknowingly transmitting PHI without the protections HIPAA requires.

According to the report:

  • Microsoft 365 will attempt TLS fallback—and if that fails, deliver in cleartext
  • No warning or notification is provided to the sender
  • Encryption failures are not recorded in any accessible audit trail
  • This behavior is the default, not a misconfiguration

Paubox also calls out broader issues with relying on force TLS settings in cloud platforms, calling the practice a “false sense of security that cannot be audited.”

Healthcare IT and compliance leaders are encouraged to review the findings and test their own environments.

The full report, How Microsoft and Google Put PHI at Risk, is available here: https://hubs.la/Q03v1MCR0

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Industry:

Paubox

Release Versions
English
Hashtags
#PHI
#cybersecurity
#emailsecurity
#encryption
#microsoft

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Social Media Profiles
Paubox on Facebook
Paubox on LinkedIn
Paubox on YouTube
More News From Paubox

Even After an Email Breach, Most Healthcare Organizations Don’t Configure Their Email Correctly

SAN FRANCISCO--(BUSINESS WIRE)--Healthcare organizations may think they’re HIPAA compliant, but a new report from email security company Paubox shows that many are silently sending protected health information without encryption, many without even knowing it. What healthcare gets wrong about HIPAA and email security, calls out a dangerous disconnect: “Most healthcare organizations have policies and tools that appear to check every HIPAA box. The issue is a disconnect between configuration and v...

Shadow AI Is Outpacing Healthcare Security, New Paubox Report Warns

SAN FRANCISCO--(BUSINESS WIRE)--Artificial intelligence is being woven into daily workflows across hospitals, clinics, and health systems, before most organizations have figured out how to secure it, which leaves patient data at risk. The latest research from Paubox, the leader in HIPAA compliant email security, found that 95% of healthcare organizations say employees with access to protected health information (PHI) are already using AI tools in email, yet one in four admit they have not forma...

Microsoft 365 Still Weakest Link as Healthcare Email Breaches Continue on Pace With 2024, New Paubox Report Warns

SAN FRANCISCO--(BUSINESS WIRE)--Cybercriminals are increasingly targeting Microsoft 365 environments, with the world's most widely-used business email platform now accounting for 52% of all healthcare email breaches—a dramatic surge from 43% just one year ago. The alarming trend is detailed in Paubox's newly released report, “2025 mid-year email breach data reveals there’s no slowing down”, which analyzed 107 email-related healthcare data breaches that occurred in the first half of 2025. The fi...
Back to Newsroom