▾ G11 Media Network: | ChannelCity | ImpresaCity | SecurityOpenLab | Italian Channel Awards | Italian Project Awards | Italian Security Awards | ...
InnovationOpenLab

Microsoft’s Email Encryption Behavior May Violate HIPAA, New Paubox Report Warns

#PHI--A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance. ...

Business Wire

New evidence shows Microsoft 365 may expose sensitive health information over email without encryption or notice—posing HIPAA compliance risks for providers

SAN FRANCISCO: #PHI--A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance.

In a series of controlled TLS experiments, Paubox researchers found that Microsoft 365 may transmit messages in cleartext when encryption fails, without bouncing the message, alerting the sender, or logging any evidence of the failure. This occurred when messages were sent to recipient servers that did not support modern TLS protocols.

The messages in question contained simulated PHI and were sent in accordance with typical “force TLS” configurations that many IT leaders believe are sufficient for HIPAA compliance.

“Our team expected the message to bounce,” said Hoala Greevy, CEO of Paubox. “Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea.”

Microsoft’s fallback behavior directly contradicts the expectations outlined in HIPAA’s Security Rule (45 CFR §164.312(e)(1)), which requires technical safeguards to ensure PHI is protected in transit. If encryption fails, and there is no way to detect or prove it, healthcare organizations may be unknowingly transmitting PHI without the protections HIPAA requires.

According to the report:

  • Microsoft 365 will attempt TLS fallback—and if that fails, deliver in cleartext
  • No warning or notification is provided to the sender
  • Encryption failures are not recorded in any accessible audit trail
  • This behavior is the default, not a misconfiguration

Paubox also calls out broader issues with relying on force TLS settings in cloud platforms, calling the practice a “false sense of security that cannot be audited.”

Healthcare IT and compliance leaders are encouraged to review the findings and test their own environments.

The full report, How Microsoft and Google Put PHI at Risk, is available here: https://hubs.la/Q03v1MCR0

Fonte: Business Wire

If you liked this article and want to stay up to date with news from InnovationOpenLab.com subscribe to ours Free newsletter.

Related news

Amazon Prime Day 2025 Delivers Record Sales and Savings in Expanded Four-Day Shopping Event

Median Technologies Signs Financial Agreement for up to €37.5 Million New Financing Facility With the European Investment Bank (EIB)

Dynatrace Ranked #1 Across Four of Six Use Cases in the 2025 Gartner Critical Capabilities for Observability Platforms Report

Wave Function™ and Packsmith.ai: Redefining E-Commerce with AI Logistics

CORRECTING and REPLACING Varicent and ServiceNow Join Forces to Power the Next Generation of Revenue Execution

Colombier II Announces Minimal Redemptions in Connection with Business Combination with GrabAGun

K1x Named to Selling Power’s 2025 List of 60 Best Companies to Sell For Alongside Apple, Microsoft and Salesforce

AI Unicorn EvenUp Opens New San Francisco Headquarters to Catalyze Growth and Innovation in Personal Injury Law

Last News

RSA at Cybertech Europe 2024

Alaa Abdul Nabi, Vice President, Sales International at RSA presents the innovations the vendor brings to Cybertech as part of a passwordless vision for…

Italian Security Awards 2024: G11 Media honours the best of Italian cybersecurity

G11 Media's SecurityOpenLab magazine rewards excellence in cybersecurity: the best vendors based on user votes

How Austria is making its AI ecosystem grow

Always keeping an European perspective, Austria has developed a thriving AI ecosystem that now can attract talents and companies from other countries

Sparkle and Telsy test Quantum Key Distribution in practice

Successfully completing a Proof of Concept implementation in Athens, the two Italian companies prove that QKD can be easily implemented also in pre-existing…

Most read

AI Strengthening Cybersecurity Software, ISG Says

$III #AI--Growing and evolving security threats make it increasingly important for enterprises to deploy advanced cybersecurity software and to understand…

Mitsubishi Electric’s ME Innovation Fund Invests in AI-assisted PLM Systems…

Mitsubishi Electric Corporation (TOKYO: 6503) announced today that its ME Innovation Fund has invested in Things, Inc., a Japan-based startup that develops…

Team8 Expands Cyber and AI Focus with New Partner Appointments, Ori Barzilay…

Team8 a global venture fund that builds and invests in companies across cybersecurity, data, AI, fintech, and digital health, as well as their intersections…

PropStream Announces Acquisition of Batch Leads and Batch Dialer, Enhancing…

#BrianTepfer--PropStream, a leading real estate data and analytics platform and company in the Stewart Information Services Corporation family of companies…

Newsletter signup

Join our mailing list to get weekly updates delivered to your inbox.

Sign me up!

G11 Media Networks

InnovationOpenLab

InnovationOpenLab is a channel of BitCity, a newspaper registered at the court of Como ,
n. 21/2007 del 11/10/2007- Registration ROC n. 15698

G11 MEDIA S.R.L. Registered office Via NUOVA VALASSINA, 4 22046 MERONE (CO) - P.IVA/C.F.03062910132 Como business register n. 03062910132 - REA n. 293834 CAPITALE SOCIALE Euro 30.000 i.v.