Close Menu
Solutions & Tech

Microsoft’s Email Encryption Behavior May Violate HIPAA

Staff WriterBy No Comments2 Mins Read0 Views


New evidence shows Microsoft 365 may expose sensitive health information over email without encryption or notice—posing HIPAA compliance risks for providers

A new report from Paubox, a leader in HIPAA compliant email, reveals that Microsoft 365’s email encryption behavior could be putting healthcare organizations at serious risk of noncompliance.

In a series of controlled TLS experiments, Paubox researchers found that Microsoft 365 may transmit messages in cleartext when encryption fails, without bouncing the message, alerting the sender, or logging any evidence of the failure. This occurred when messages were sent to recipient servers that did not support modern TLS protocols.

Cyber Technology Insights : Available Infrastructure Launches SanQtum, a First-of-a-Kind Cybersecurity and Edge-AI Solution

The messages in question contained simulated PHI and were sent in accordance with typical “force TLS” configurations that many IT leaders believe are sufficient for HIPAA compliance.

“Our team expected the message to bounce,” said Hoala Greevy, CEO of Paubox. “Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea.”

Microsoft’s fallback behavior directly contradicts the expectations outlined in HIPAA’s Security Rule (45 CFR §164.312(e)(1)), which requires technical safeguards to ensure PHI is protected in transit. If encryption fails, and there is no way to detect or prove it, healthcare organizations may be unknowingly transmitting PHI without the protections HIPAA requires.

Cyber Technology Insights : New Willis Survey Highlights Changing Global Trends in Cyber Risk Strategy

According to the report:

Microsoft 365 will attempt TLS fallback—and if that fails, deliver in cleartext

No warning or notification is provided to the sender

Encryption failures are not recorded in any accessible audit trail

This behavior is the default, not a misconfiguration

Paubox also calls out broader issues with relying on force TLS settings in cloud platforms, calling the practice a “false sense of security that cannot be audited.”

Cyber Technology Insights : Curve Pay and Thales Join Forces to Securely Transform Digital Wallets on iPhone

To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com

Source: businesswire



Source link

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Leave A Reply