Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

New evidence shows Microsoft 365 may expose sensitive health information over email without encryption or notice—posing HIPAA compliance risks for providers

A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance.

In a series of controlled TLS experiments, Paubox researchers found that Microsoft 365 may transmit messages in cleartext when encryption fails, without bouncing the message, alerting the sender, or logging any evidence of the failure. This occurred when messages were sent to recipient servers that did not support modern TLS protocols.

Cyber Technology Insights : Available Infrastructure Launches SanQtum, a First-of-a-Kind Cybersecurity and Edge-AI Solution

The messages in question contained simulated PHI and were sent in accordance with typical “force TLS” configurations that many IT leaders believe are sufficient for HIPAA compliance.

“Our team expected the message to bounce,” said Hoala Greevy, CEO of Paubox. “Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea.”

Microsoft’s fallback behavior directly contradicts the expectations outlined in HIPAA’s Security Rule (45 CFR §164.312(e)(1)), which requires technical safeguards to ensure PHI is protected in transit. If encryption fails, and there is no way to detect or prove it, healthcare organizations may be unknowingly transmitting PHI without the protections HIPAA requires.

Cyber Technology Insights : New Willis Survey Highlights Changing Global Trends in Cyber Risk Strategy

According to the report:

Microsoft 365 will attempt TLS fallback—and if that fails, deliver in cleartext
No warning or notification is provided to the sender
Encryption failures are not recorded in any accessible audit trail
This behavior is the default, not a misconfiguration

Paubox also calls out broader issues with relying on force TLS settings in cloud platforms, calling the practice a “false sense of security that cannot be audited.”

Cyber Technology Insights : Curve Pay and Thales Join Forces to Securely Transform Digital Wallets on iPhone

To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com

Source: businesswire

Tags: Email Encryption, HIPAA, Microsoft, security

Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

According to the report:

CyberTech Media Room

Share With

Recent Posts

AuditBoard Named a Leader in IDC MarketScape for Worldwide Governance, Risk, and Compliance Software

VERTEX Strengthens Leadership Team with Key Executive Appointments and New Board Members

New KnowBe4 Report Reveals Critical Cyber Vulnerabilities Threatening Europe’s Digital Manufacturing Sector

Sphinx Acquires Enigma, Strengthening Advanced Cybersecurity and Intelligence Solutions

Contact Us

Quick Links

Insights

Get in touch

Follow Us

Our Other Brands

Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

According to the report:

CyberTech Media Room

Share With

Recent Posts

PTP Achieves AWS Managed Security Service Provider Competency Status

F5 Research Finds Most Enterprises Still Fall Short in AI Readiness, Face Security and Governance Issues

AuditBoard Named a Leader in IDC MarketScape for Worldwide Governance, Risk, and Compliance Software

VERTEX Strengthens Leadership Team with Key Executive Appointments and New Board Members

New KnowBe4 Report Reveals Critical Cyber Vulnerabilities Threatening Europe’s Digital Manufacturing Sector

Sphinx Acquires Enigma, Strengthening Advanced Cybersecurity and Intelligence Solutions

Contact Us

Quick Links

Insights

Get in touch

Follow Us

Our Other Brands