Skip to main content
Recent Quotes
My Watchlist
Indicators
Markets
Stocks
ETFs
Tools
Markets:
Overview
News
Currencies
International
Treasuries

Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

By: via Business Wire

New evidence shows Microsoft 365 may expose sensitive health information over email without encryption or notice—posing HIPAA compliance risks for providers

A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance.

In a series of controlled TLS experiments, Paubox researchers found that Microsoft 365 may transmit messages in cleartext when encryption fails, without bouncing the message, alerting the sender, or logging any evidence of the failure. This occurred when messages were sent to recipient servers that did not support modern TLS protocols.

The messages in question contained simulated PHI and were sent in accordance with typical “force TLS” configurations that many IT leaders believe are sufficient for HIPAA compliance.

“Our team expected the message to bounce,” said Hoala Greevy, CEO of Paubox. “Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea.”

Microsoft’s fallback behavior directly contradicts the expectations outlined in HIPAA’s Security Rule (45 CFR §164.312(e)(1)), which requires technical safeguards to ensure PHI is protected in transit. If encryption fails, and there is no way to detect or prove it, healthcare organizations may be unknowingly transmitting PHI without the protections HIPAA requires.

According to the report:

  • Microsoft 365 will attempt TLS fallback—and if that fails, deliver in cleartext
  • No warning or notification is provided to the sender
  • Encryption failures are not recorded in any accessible audit trail
  • This behavior is the default, not a misconfiguration

Paubox also calls out broader issues with relying on force TLS settings in cloud platforms, calling the practice a “false sense of security that cannot be audited.”

Healthcare IT and compliance leaders are encouraged to review the findings and test their own environments.

The full report, How Microsoft and Google Put PHI at Risk, is available here: https://hubs.la/Q03v1MCR0

Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance

Contacts

More News

View More
Jefferies Raises Broadcom Price Target to $315: 19% Upside Ahead
Via MarketBeat
Topics Artificial Intelligence
Tickers AVGO NVDA
Whiplash for Investors: AeroVironment's Confusing Stock Signals
Via MarketBeat
Tickers AVAV GS
The Ultimate Trump Bump: These Gov't Backed Stocks Are Exploding
Via MarketBeat
Topics Government
Tickers FMCC FNMA
Insider Selling at NVIDIA Could Turn Into an Opportunity
Via MarketBeat
Tickers AMZN META NVDA
3 Utility Stocks That Combine Income and Stability
Via MarketBeat
Topics ETFs Economy
Tickers AEP D NEE
Stock Quote API & Stock News API supplied by www.cloudquote.io
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms Of Service.