Commentary
HIPAA Slip: Unencrypted Emails May Be Getting Through, Study Says
- by Ray Schultz , Columnist, Yesterday
Gaps in Microsoft’s and Google’s email encryption could be putting healthcare organizations at risk of non-compliance with HIPAA, the law that protects medical privacy, a report from Paubox contends.
Email is widely used by healthcare firms to send lab results, care instructions, appointment notifications and marketing. But HIPAA regulations require these emails be encrypted, says the new study from Paubox, titled How Microsoft and Google put PHI at risk.
Platforms like Microsoft 365 and Google Workspace promise encryption, and most IT teams “take that promise at face value,” the study states.
But that trust may be misplaced, it continues. Both platforms can deliver messages using outmoded encryption protocols without warning the sender, a “built-in failure mode that leaves sensitive data exposed and compliance assumptions shattered.” And, they can put private health information (PHI) at risk.
advertisement
advertisement
Specifically, Paubox asserts that Google still delivers messages using the TLS 1.0 and 1.1 encryption protocols that were deprecated years ago. It also claims that Microsoft refuses these protocols, but sends the message anyway—unencrypted.
We could not independently confirm these allegations. But here’s how the firm came to them.
Paubox researchers conducted a series of controlled experiments. They determined that Microsoft 365 may send messages in cleartext when encryption fails—without warning the sender. And this has happened even when the recipient servers did not support modern TLS protocols.
The firm set up “recipient mail systems that only accept legacy TLS protocols — first TLS 1.0, then TLS 1.1,” it says. “Any organization that exchanges email across a broad healthcare ecosystem is likely to encounter them.”
Paubox adds, “We sent emails from each platform to these recipient servers and captured the message headers to analyze the encryption protocols used during transmission.
The tested messages contained simulated PHI, showing that real PHI can be transmitted unencrypted.
The Paubox team expected such a message to bounce.
“Instead, it went through unencrypted—and unless you knew where to look in the headers, you’d have no idea,” says Hoala Greevy, CEO of Paubox.
The takeaway? “If your HIPAA compliance strategy depends on TLS settings you haven’t tested, this is your warning,” Paubox says.
Ray Schultz is the former editor of DM News, Chief Marketer, Direct, Circulation Management and other marketing titles.