-

Even After an Email Breach, Most Healthcare Organizations Don’t Configure Their Email Correctly

Email is still healthcare's top breach vector, and most orgs don't know their messages are being sent unsecured

SAN FRANCISCO--(BUSINESS WIRE)--Healthcare organizations may think they’re HIPAA compliant, but a new report from email security company Paubox shows that many are silently sending protected health information without encryption, many without even knowing it.

“Most healthcare organizations have policies and tools that appear to check every HIPAA box. The issue is a disconnect between configuration and verification.”

Share

What healthcare gets wrong about HIPAA and email security, calls out a dangerous disconnect: “Most healthcare organizations have policies and tools that appear to check every HIPAA box. The issue is a disconnect between configuration and verification.”

Even when encryption settings are technically enabled, email platforms can still deliver messages without warning when encryption fails, for example, when the recipient server doesn’t support modern TLS. The sender gets no alert, and no audit trail shows the message was exposed.

“From a compliance standpoint, that’s a breakdown the organization can’t detect until it’s too late,” the report states.

In just the first half of 2025, 107 email-related HIPAA breaches were reported to the Department of Health and Human Services, putting the year on pace to exceed last year’s 180 email breaches.

To compensate, some organizations rely on secure portals or manual encryption triggers. Paubox warns these methods create their own risks, mainly due to human error: “Every single unencrypted message containing PHI can trigger a reportable HIPAA breach.” In one enforcement case, a clinic was fined $25,000 for a single message sent to the wrong person without encryption.

The report comes as the Office for Civil Rights pushes to strengthen the HIPAA Security Rule, proposing that encryption of PHI at rest and in transit become a required safeguard, not an optional one.

“Every unencrypted email is a potential breach, and every breach erodes trust,” says Paubox CEO, Hoala Greevy. “The leaders who automate compliance now are the ones who’ll avoid the fines, the headlines, and operational delays later.”

Paubox urges healthcare IT and compliance leaders to begin auditing outbound email security now.

The full report, What healthcare gets wrong about HIPAA and email security, is available now at https://hubs.la/Q03Sqkwp0.

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Industry:

Paubox

Release Versions
English
Hashtags
#compliance
#cybersecurity
#emailsecurity
#healthcarebreach
#hipaa

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Social Media Profiles
Paubox on LinkedIn
Paubox on YouTube
More News From Paubox

Healthcare IT Leaders Gave Themselves a Perfect Breach Detection Score. 58% of Them Got Breached Anyway, Paubox Finds

SAN FRANCISCO--(BUSINESS WIRE)--Healthcare IT leaders are giving themselves top marks on email breach detection while their organizations keep getting breached, according to new research from Paubox. In a survey of 170 U.S. healthcare IT leaders, 100% rated their real-time breach detection as Excellent or Good. In the same sample, 58% admitted their organization had been breached through email in the past two years. The findings come from the Healthcare Email Security Maturity Index 2026, publi...

Nearly 75% of Healthcare Organizations Breached Through Email in 2025 Lacked Basic Authentication Protections, Paubox Report Finds

SAN FRANCISCO--(BUSINESS WIRE)--Of the 170 email-related healthcare breaches that were reported to the HHS in 2025, nearly three quarters had no effective policy to stop spoofed emails from reaching employee inboxes. Over half failed to verify whether incoming messages came from authorized senders. Those findings come from the 2026 Healthcare Email Security Report, published today by Paubox, a HIPAA compliant email security company. The report analyzed 170 email-related breach incidents disclos...

Paubox Named Best Email Encryption Software in G2’s 2026 Best Software Awards

SAN FRANCISCO--(BUSINESS WIRE)--Paubox, the leading provider of HIPAA compliant email security, has been named the best email encryption software by G2 in its 2026 Best Healthcare Software Products Awards. It’s the second consecutive year Paubox has earned a spot on the awards, which rank the world’s top software based entirely on verified user reviews. G2 is the world’s largest and most trusted software marketplace, reaching more than 100 million buyers annually. Less than 1% of the over 175,0...
Back to Newsroom