In November, the global healthcare cloud market was valued at $63.55 billion and was projected to grow to $197.45 billion by 2032. Healthcare workers rely on the cloud for various day-to-day operations, including email services. Cloud email services, also known as webmail or hosted email services, are email platforms provided by third-party vendors that deliver email services over the internet.
The cloud is a primary target for cyberattackers trying to access patients’ protected health information (PHI). Cloud email vulnerabilities can create serious consequences for healthcare providers, patients, and their PHI. Healthcare organizations need to understand more about webmail and how to avoid any threats and/or the aftermath in case they do occur.
Need to know: HIPAA compliant email: The definitive guide (2025 update)
The Health Insurance Portability and Accountability Act (HIPAA) sets the rules and regulations surrounding access to and disclosure of PHI. The HIPAA Privacy Rule establishes the national standards to protect PHI, while the Security Rule creates a framework for the defense of electronic PHI (ePHI). To enhance data confidentiality, healthcare organizations must prioritize HIPAA compliance by using strong security measures.
HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone.
See also: How to be HIPAA compliant without worrying about HIPAA compliance
Cloud-based email services manage their email infrastructure over the internet rather than in a physical setting. Healthcare organizations can subscribe to these services and access email accounts through a web browser or email client. Healthcare providers sign up for a cloud email (i.e., a digital mailbox), getting access to the mailbox, the ability to send and receive email messages, storage and security, and sometimes extra features, such as shared calendars, contact lists, and file storage.
In general, such third-party organizations offer healthcare organizations flexibility and cost-efficiency. Other advantages include:
For healthcare organizations, understanding what happens to data sent and stored through email, and having appropriate access controls are crucial for compliance.
More about: How cloud service providers are defined by HIPAA
In 2025, technology continued to be a major part of healthcare. Since the early 1990s, electronic health records (EHRs) have largely replaced paper records, giving providers and patients real-time access to information over the internet. According to the Centers for Medicare & Medicaid Services (CMS), EHRs hold the “key administrative clinical data relevant to that person’s care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data, and radiology reports.”
We have also seen the growth of telemedicine. A national study of 36 million working-age individuals with private insurance claims shows that telemedicine encounters increased 766% in the first 3 months of the pandemic, from 0.3% of all interactions in March to June 2019, to 23.6% of all interactions in the same period.
While cloud email services provide numerous advantages, they also introduce risks related to data security, privacy, technical challenges, and service reliability. If a provider’s records are not properly secured, attackers can easily gain access to sensitive health data, even within an email account. Risks associated with cloud email services include:
Blackbaud is a cloud service customer relationship management (CRM) platform for 35,000 educational institutions, nonprofits, and healthcare organizations. In 2020, a ransomware attacker found an entry point into Blackbaud’s system, compromising the data of several companies that use its services. Data accessed included personally identifiable information (PII) and PHI of individuals related to the Northern Light Health Foundation, the Children’s Hospital of Pittsburgh Foundation, and Trinity Health, among others.
The company decided to pay the ransom to receive confirmation that all data copies had been destroyed. Ransomware is the dominant force behind healthcare data breaches. A recent study even estimates that ransomware attacks have exposed or stolen the health data of at least 375 million individuals over the past 15 years, a number that continues to grow.
As stated numerous times by the FBI, paying a ransomware attacker does not necessarily mean Blackbaud’s copied data was destroyed. In the aftermath, Blackbaud paid $3 million in a civil penalty to the Securities and Exchange Commission (SEC), along with $50 million in a state attorney-led lawsuit. Moreover, affected individuals never received complete reassurance that their information was safe.
Organizations can face hefty fines and penalties for HIPAA violations and reputational damage that can affect patient trust and long-term viability. HIPAA violations can result in civil monetary penalties, ranging from $141 to $571,162 per violation, with an annual maximum of $2,067,813 for violations. The severity of the penalty depends on the level of negligence involved, the extent of harm caused, the organization’s compliance history, and the steps taken to correct the issue.
Related: What are the penalties for HIPAA violations?
Healthcare providers need to continuously monitor their systems after a breach for anomalies and/or strange behavior. If an organization suspects that its system has been breached, it should identify and confirm the situation, then take steps to stop the leak of PHI.
They can continuously update and then implement more rigorous security measures to secure cloud access, such as training employees, using advanced access controls, regularly updating their systems, and developing incident response plans. They should also conduct thorough security audits and compliance reviews to identify vulnerabilities further. After detection and investigation, organizations must follow the Breach Notification Rule and notify affected individuals, the government, and the media.
Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to rectifying a breach and ensuring it does not occur again. Proper mitigation can keep more patient data from being exposed and protect a healthcare organization from committing a HIPAA violation.
HIPAA compliance involves continuously updating security measures to protect sensitive health information and to avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify vulnerabilities and develop strategies to address them. Other steps to avoid cloud threats include:
Paubox Email Suite is a HIPAA compliant email solution designed for healthcare organizations to securely communicate PHI without disrupting workflow. Unlike traditional encrypted email services that require recipients to log in to portals or enter passwords, Paubox seamlessly encrypts all outbound emails, delivering them directly to recipients’ inboxes. It integrates with existing email platforms like Google Workspace and Microsoft 365, ensuring seamless security while maintaining ease of use. With built-in threat detection, spam filtering, and robust encryption, Paubox Email Suite helps healthcare providers, payers, and business associates meet regulatory requirements while enhancing communication efficiency.
What is a business associate?
A person or entity that performs certain functions or activities on behalf of covered entities.
Can I integrate third-party applications with my cloud email service?
Yes, many cloud email services offer integration capabilities with third-party applications and services through APIs or built-in integration features. Users can integrate email with productivity tools, CRM systems, project management software, and other business applications to streamline workflows and improve efficiency.
Can healthcare organizations use any cloud storage provider for storing PHI?
Healthcare organizations can use cloud storage providers for PHI, but they must ensure the provider signs a BAA and complies with HIPAA's security and privacy rules.
Are there specific requirements for storing PHI in cloud storage?
Yes, PHI stored in cloud storage must be encrypted both at rest and in transit, and access controls must be in place to restrict unauthorized access.
How does Paubox Email Suite ensure HIPAA compliance?
Paubox automatically encrypts all outbound emails using TLS 1.2 and 1.3 encryption, ensuring PHI is secure during transmission.