What You Should Know:
– A new report from Paubox reveals that email remains the number one source of HIPAA breaches, with 107 incidents reported in the first half of 2025 alone.
– The analysis identifies a critical flaw in popular platforms like Microsoft 365, which prioritize message delivery over security, often stripping encryption without alerting the sender. With the OCR proposing to upgrade encryption from an “addressable” to a “required” safeguard, healthcare organizations relying on manual toggles or standard delivery settings face imminent regulatory peril.
Illusion of Compliance: Why “Delivery-First” Is Failing Healthcare
The healthcare industry is facing a digital security crisis that is largely invisible to the clinicians and administrators sending the messages. According to a new report by email security provider Paubox, 107 email-related HIPAA breaches were reported to HHS in the first half of 2025, putting the industry on track to surpass 2024’s record figures.
The core issue identified is not a lack of tools, but a fatal flaw in configuration philosophy. While most organizations have Business Associate Agreements (BAAs) and encryption policies in place, the technical reality of “delivery-first” platforms is leaving patient data exposed.
The “Silent Fallback” Risk in Major Platforms
For many IT leaders, the most alarming finding is the role of ubiquitous platforms. The report notes that 52% of email-related breaches in 2025 involved Microsoft 365. The vulnerability lies in how these platforms handle transmission failures. When a recipient’s server does not support modern TLS protocols (TLS 1.2 or higher), platforms like Microsoft 365 and Google Workspace often default to a “silent fallback”. They prioritize delivering the message over maintaining security, transmitting the email in plain text rather than bouncing it back.
Crucially, this happens without alerting the sender. An organization can have encryption “enabled” in their settings and still suffer a reportable breach because the platform negotiated down to an insecure protocol to ensure delivery.
The Death of the Secure Portal
To mitigate transmission risks, many health systems rely on secure portals. However, the report argues that portals solve the security requirement by creating a usability crisis. Data from the National Library of Medicine cited in the report indicates that 65% of portal users stop engaging after day one. The friction of creating logins and entering codes causes patients and providers to bypass these systems entirely, often resorting to unsecure workarounds to get information where it needs to go faster.
“Portals meet the security requirement but fail the usability test,” the report states, noting that 22% of users cite difficulty navigating basic functions.
OCR 2025: From Policy to Proof
The stakes for these technical failures are about to rise significantly. The Office for Civil Rights (OCR) has proposed major updates to the HIPAA Security Rule in 2025. The proposed changes would reclassify encryption of ePHI from an “addressable” implementation specification to a “required” safeguard. Under the 2013 rules, “addressable” gave organizations flexibility; the new rule would mandate encryption as a baseline expectation.
Furthermore, the shift is moving from policy-driven compliance to proof-driven accountability. Organizations will need to produce audit logs verifying that encryption safeguards were applied to every outbound message containing PHI.
The Human Factor: Automated vs. Manual
The report concludes that reliance on human behavior—such as typing “Secure” in a subject line—is a guaranteed failure point. 82% of healthcare IT leaders admit they worry staff will miss a critical security step.
In one cited enforcement action, a clinic was fined $25,000 simply for sending PHI to the wrong recipient via unencrypted email. As Hoala Greevy, CEO of Paubox, notes, “If you’re handling PHI without encryption or a BAA in place, you’re creating liability”.
The industry consensus is shifting toward “encryption-by-default,” where security is applied automatically at the gateway level, removing the decision from the user entirely and ensuring that no message leaves the network without verifiable protection.
