-

Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

New evidence shows Microsoft 365 may expose sensitive health information over email without encryption or notice—posing HIPAA compliance risks for providers

SAN FRANCISCO--(BUSINESS WIRE)--A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance.

Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance

Share

In a series of controlled TLS experiments, Paubox researchers found that Microsoft 365 may transmit messages in cleartext when encryption fails, without bouncing the message, alerting the sender, or logging any evidence of the failure. This occurred when messages were sent to recipient servers that did not support modern TLS protocols.

The messages in question contained simulated PHI and were sent in accordance with typical “force TLS” configurations that many IT leaders believe are sufficient for HIPAA compliance.

“Our team expected the message to bounce,” said Hoala Greevy, CEO of Paubox. “Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea.”

Microsoft’s fallback behavior directly contradicts the expectations outlined in HIPAA’s Security Rule (45 CFR §164.312(e)(1)), which requires technical safeguards to ensure PHI is protected in transit. If encryption fails, and there is no way to detect or prove it, healthcare organizations may be unknowingly transmitting PHI without the protections HIPAA requires.

According to the report:

  • Microsoft 365 will attempt TLS fallback—and if that fails, deliver in cleartext
  • No warning or notification is provided to the sender
  • Encryption failures are not recorded in any accessible audit trail
  • This behavior is the default, not a misconfiguration

Paubox also calls out broader issues with relying on force TLS settings in cloud platforms, calling the practice a “false sense of security that cannot be audited.”

Healthcare IT and compliance leaders are encouraged to review the findings and test their own environments.

The full report, How Microsoft and Google Put PHI at Risk, is available here: https://hubs.la/Q03v1MCR0

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Industry:

Paubox

Release Versions
English
Hashtags
#PHI
#cybersecurity
#emailsecurity
#encryption
#microsoft

Contacts

Media Contact:
Dawn Halpin
press@paubox.com

Social Media Profiles
Paubox on Facebook
Paubox on LinkedIn
Paubox on YouTube
More News From Paubox

73% of Rural Healthcare Orgs Say They Struggle to Maintain HIPAA Compliance Due to Staffing and Funding Gaps

SAN FRANCISCO--(BUSINESS WIRE)--As cyber threats grow more frequent and sophisticated, rural hospitals and clinics face challenges on all fronts—tight budgets, limited staff, inadequate training, complex technology, and unsupportive vendors. Many are left trying to manage security tools without the IT resources to support them. Rural healthcare organizations are encountering more roadblocks to cybersecurity than their urban peers—and not just in one or two areas. The findings are part of a broa...

Paubox Awards 2025 Kahikina Scholarships to Native Hawaiian Students Pursuing STEM Degrees

HONOLULU--(BUSINESS WIRE)--The 2025 class of Paubox Kahikina Scholarship recipients was announced today. The scholarship’s mission is to encourage Native Hawaiians to pursue careers in STEM or technology in general. The scholarship is recurring in nature. In other words, recipients receive $1,000 per year until they graduate. Now in its seventh year, this year’s class of 17 recipients is the largest to date. Awardees graduated from high schools in Hawaiʻi, Nevada, and Texas. This year’s recipie...

Paubox Report Exposes Encryption Failures by Microsoft and Google That Put Users at Risk

SAN FRANCISCO--(BUSINESS WIRE)--A new investigative report from HIPAA compliant email provider Paubox has exposed a hidden security failure in Microsoft 365 and Google Workspace, two of the most widely used email platforms. Despite claims of encryption and compliance, both platforms fail under real-world conditions that could expose sensitive information without the sender or receiver knowing. The report, How Microsoft and Google Put PHI at Risk, details a series of controlled experiments in wh...
Back to Newsroom