Even After an Email Breach, Most Healthcare Organizations Don’t Configure Their Email Correctly
Even After an Email Breach, Most Healthcare Organizations Don’t Configure Their Email Correctly
Email is still healthcare's top breach vector, and most orgs don't know their messages are being sent unsecured
SAN FRANCISCO--(BUSINESS WIRE)--Healthcare organizations may think they’re HIPAA compliant, but a new report from email security company Paubox shows that many are silently sending protected health information without encryption, many without even knowing it.
“Most healthcare organizations have policies and tools that appear to check every HIPAA box. The issue is a disconnect between configuration and verification.”
Share
What healthcare gets wrong about HIPAA and email security, calls out a dangerous disconnect: “Most healthcare organizations have policies and tools that appear to check every HIPAA box. The issue is a disconnect between configuration and verification.”
Even when encryption settings are technically enabled, email platforms can still deliver messages without warning when encryption fails, for example, when the recipient server doesn’t support modern TLS. The sender gets no alert, and no audit trail shows the message was exposed.
“From a compliance standpoint, that’s a breakdown the organization can’t detect until it’s too late,” the report states.
In just the first half of 2025, 107 email-related HIPAA breaches were reported to the Department of Health and Human Services, putting the year on pace to exceed last year’s 180 email breaches.
To compensate, some organizations rely on secure portals or manual encryption triggers. Paubox warns these methods create their own risks, mainly due to human error: “Every single unencrypted message containing PHI can trigger a reportable HIPAA breach.” In one enforcement case, a clinic was fined $25,000 for a single message sent to the wrong person without encryption.
The report comes as the Office for Civil Rights pushes to strengthen the HIPAA Security Rule, proposing that encryption of PHI at rest and in transit become a required safeguard, not an optional one.
“Every unencrypted email is a potential breach, and every breach erodes trust,” says Paubox CEO, Hoala Greevy. “The leaders who automate compliance now are the ones who’ll avoid the fines, the headlines, and operational delays later.”
Paubox urges healthcare IT and compliance leaders to begin auditing outbound email security now.
The full report, What healthcare gets wrong about HIPAA and email security, is available now at https://hubs.la/Q03Sqkwp0.
Contacts
Media Contact:
Dawn Halpin
press@paubox.com
