When a single email platform is involved in more than half of all email-related healthcare breaches, choosing to use it becomes a decision that requires evaluating its compliance and security. Healthcare organizations exchange PHI constantly, lab results, referrals, billing data, care instructions, and as De Gagne and her colleagues document, email has become foundational to virtually every clinical and administrative workflow. The importance of email makes Microsoft 365's security architecture a HIPAA compliance variable that most organizations never evaluate.

Knowing how important email is, choosing a platform is a compliance decision rather than solely an IT one. A Paubox report on healthcare email security found that in 2025, Microsoft 365 was involved in 52% of email-related breaches reported by healthcare organizations, up from 43% in 2024. The Microsoft Digital Defense Report 2025 identifies healthcare as one of the top 10 sectors most impacted by cyber threats globally, with the sector specifically named as a target by multiple nation-state actors and financially motivated groups. BEC, which relies on email platform compromise, was a more frequent attack outcome (21%) than ransomware (16%). The report also notes that cloud platform security decisions have ecosystem-wide consequences, and that sectors with decentralized IT management and inconsistent MFA enforcement, including rural healthcare, are disproportionately vulnerable to credential-based attacks.

Read more: The hidden certificate crisis in healthcare email

The scale of the problem

A 2025 Paubox survey of IT leaders and practice managers at small healthcare organizations found that 43% reported experiencing a phishing or spoofing incident in the past year, yet more than 80% expressed confidence in their compliance posture. The disconnect between perceived security and actual exposure reflects a fragile email infrastructure built on legacy systems, outdated assumptions, and reactive processes that can no longer keep up with the speed and sophistication of modern threats.

Microsoft 365's involvement in more than half of all email-related breaches makes it the single largest platform factor in healthcare email security failures. The 2025 Paubox certificate report of 803,378 unique outbound email relays found that roughly 4% of connections went to servers with unverifiable certificates, including expired or self-signed, meaning that potentially millions of PHI-bearing messages each year sent to endpoints whose identity cannot be fully validated.

Smith and Abbasi's research on healthcare cybersecurity documents that from 2018 to 2023, there was a 93% growth in large healthcare data breaches, with hacking-related incidents accounting for 77% of all breaches by 2023. Seh's longitudinal analysis of healthcare data breaches found that email represented 17.52% of all breach locations from 2010 to 2019, making it the second most targeted breach vector. Out of 570 email-based breach incidents in that period, 457 were reported in the last four years alone, with 35.03% occurring in 2019. The pattern is clear, and Microsoft 365's market dominance places it at the center.

Go deeper: Differences between compliance and security

How Microsoft 365 handles encryption

Microsoft 365 supports TLS encryption for email in transit, but its implementation prioritizes delivery over verification. The platform negotiates the strongest available connection, but when the recipient's server presents an expired, self-signed, or otherwise invalid certificate, Microsoft 365 delivers the message anyway rather than blocking it. This design decision has specific HIPAA implications that most healthcare organizations never see.

The cryptographic research of Krawczyk, Paterson, and Wee proves why silent certificate failures are dangerous: TLS security "relies crucially on there being no side channel that would reveal the existence of decryption failures to the attacker." Microsoft 365's permissive delivery behavior effectively creates that side channel by confirming to potential attackers that messages will be delivered regardless of certificate validity.

In browser-based connections, certificate failures trigger visible warnings that users must actively bypass. Email transport operates under different rules. Microsoft 365 silently accepts invalid certificates and delivers messages without alerting the sender. For healthcare organizations, this means PHI can move through an unverifiable connection without generating any compliance signal, no failed delivery notice, no audit flag, and no indication that encryption was compromised.

From the sender's perspective, the email was delivered successfully. From a compliance perspective, the organization just transmitted PHI without verifiable encryption and has no audit trail to demonstrate otherwise. The gap between operational success and compliance failure is where HIPAA liability accumulates. Bodipudi's research on healthcare email encryption stresses the limitation that TLS protects data in transit but not at rest, and email service providers can still access unencrypted content on their servers. When this limitation is combined with Microsoft 365's permissive certificate handling, the result is a platform that neither guarantees transit security nor protects stored PHI from provider-side access.

The result is a compliance gap that most organizations never detect. HIPAA requires proof of encryption, not just the assumption that encryption is working. When Microsoft 365 silently accepts an invalid certificate and delivers a message anyway, the organization has no evidence that PHI was transmitted securely, and no alert that it was not.

HIPAA compliance breakdown

HIPAA's Security Rule requires technical measures to guard against unauthorized access to ePHI during transmission. Self-signed certificates cannot satisfy this standard because no third party has verified the server's identity. As the Paubox certificate report found, "HIPAA doesn't spell out 'no self-signed certs,' but the Security Rule requires organizations to verify the integrity of the connection." For organizations on Microsoft 365, this creates a specific problem. The platform's default behavior accepts exactly the kind of unverifiable connections that HIPAA requires organizations to prevent.

The Paubox report about email certificates found that 86% of healthcare IT leaders worry about their HIPAA compliance status, and nearly 70% estimate a violation tied to email would cost more than $250,000. Yet most of these organizations are running Microsoft 365 with default certificate settings that silently accept the very connections HIPAA requires them to verify.

Pool et al.'s research of personal health data breaches identifies noncompliance as a primary breach facilitator, noting that organizations frequently engage in what amounts to symbolic adoption of security measures, where controls exist on paper but fail to provide substantive protection. Having TLS enabled on Microsoft 365 without certificate validation is precisely this kind of symbolic adoption. The investment exists, but the protection does not.

Learn more: HIPAA compliant email: the definitive guide

Why Microsoft 365 breaches are rising

Three factors explain why Microsoft 365's involvement in healthcare email breaches continues to grow.

Adoption is expanding

Microsoft 365 has become the default platform for healthcare organizations of all sizes, from rural clinics to enterprise health systems. The Paubox report on email certificates found that 83% of healthcare IT leaders say legacy systems disrupt day-to-day operations, driving migration toward cloud platforms. Even organizations that have migrated to modern cloud platforms inherit the permissive certificate policies that those platforms enforce.

The vendor ecosystem amplifies the risk

Healthcare depends on a complex supply chain of IT vendors, billing companies, EHR add-ons, imaging services, and managed service providers. Healthcare's vendor ecosystem magnifies Microsoft 365's certificate problem. Schneller and Abdulsalam's research found that supply chains receive minimal attention in healthcare management literature despite being the second-largest expense category after labor. The blind spot extends to email infrastructure. When a billing vendor's mail server presents an expired certificate, Microsoft 365 delivers the message anyway. The covered entity has no visibility into the failure, yet retains HIPAA liability for the transmission.

The Paubox certificate report also found that 16% of email-related breaches in 2025 involved business associates. A single broken certificate on a billing vendor's server can expose thousands of patient records. Healthcare organizations rarely audit the certificate infrastructure of downstream vendors, yet HIPAA's business associate requirements create shared liability.

Cloud platform permissiveness spreads risk at scale

Given that a handful of providers like Microsoft and Google now handle a large share of global business email, their certificate-handling decisions impact millions of domains. When these platforms accept weak or unverifiable certificates to ensure deliverability, they silently propagate risk across every organization that depends on them. Schneller and Abdulsalam observed that the COVID-19 pandemic revealed how fragile healthcare supply chains had become, "We are experiencing a paradigm shift, in health care and other industries, from a focus on supply chain efficiency toward one of supply chain resiliency and contingency planning." Email infrastructure deserves the same reconsideration.

Related: Blind spots in security methods

Alternatives and solutions

Portal-based encryption offers security but creates friction that undermines adoption. When recipients must navigate portals, manage passwords, and complete additional authentication steps, engagement drops. As Bodipudi's research emphasizes, "The effectiveness of encryption technologies largely depends on their usability and acceptance by end-users." Solutions that create barriers to access may satisfy a compliance checkbox while failing to achieve the secure communication they are designed to enable.

Manual encryption places the burden on individual senders to identify which messages contain PHI and apply appropriate protection. In practice, this is prone to human error. Pool et al.'s study found that "the most common stated breaches originated from not knowing how to use the encryption function in communication via email." When encryption depends on the user remembering to act, it fails at the point where it matters most.

The DevSecOps principle of shifting left, addressing security concerns earlier in processes rather than as an afterthought, applies directly to healthcare email. As Johnson, Smith, and Patel argue, organizations must move beyond reactive security, "The speed at which these workflows operate often comes at the cost of security." Healthcare email infrastructure requires the same proactive stance, where encryption and certificate validation happen automatically before PHI leaves the organization, not after a breach reveals the gap.

Paubox Email Suite addresses this gap by verifying encryption certificates before transmitting PHI. When a recipient's server presents an expired, self-signed, or otherwise invalid certificate, Paubox blocks the standard delivery path and automatically sends the message as a secure Paubox message instead. This eliminates the silent failure mode that makes Microsoft 365's default behavior a compliance risk.

FAQs

What is TLS fallback?

TLS fallback occurs when an email server cannot establish a fully encrypted connection using the strongest available protocol and instead negotiates a weaker connection or, in some cases, transmits the message in plaintext.

How does HIPAA view encryption failures?

HIPAA's Security Rule requires organizations to implement technical security measures that guard against unauthorized access to electronic PHI during transmission. While HIPAA does not mandate a specific encryption protocol, it requires organizations to verify the integrity of connections transmitting PHI. When certificate validation fails, and a message is delivered anyway, the organization cannot demonstrate that the transmission was secure, creating regulatory exposure.

What is the difference between encryption in transit and encryption at rest?

Encryption in transit protects data while it is moving between servers, such as when an email travels from the sender's mail server to the recipient's. Encryption at rest protects data while it is stored on a server, database, or device.