What You Ought to Know:
– A brand new report from Paubox reveals that e mail stays the primary supply of HIPAA breaches, with 107 incidents reported within the first half of 2025 alone.
– The evaluation identifies a crucial flaw in widespread platforms like Microsoft 365, which prioritize message supply over safety, typically stripping encryption with out alerting the sender. With the OCR proposing to improve encryption from an “addressable” to a “required” safeguard, healthcare organizations counting on guide toggles or normal supply settings face imminent regulatory peril.
Phantasm of Compliance: Why “Supply-First” Is Failing Healthcare
The healthcare business is dealing with a digital safety disaster that’s largely invisible to the clinicians and directors sending the messages. In line with a brand new report by e mail safety supplier Paubox, 107 email-related HIPAA breaches had been reported to HHS within the first half of 2025, placing the business on observe to surpass 2024’s document figures.
The core challenge recognized shouldn’t be an absence of instruments, however a deadly flaw in configuration philosophy. Whereas most organizations have Enterprise Affiliate Agreements (BAAs) and encryption insurance policies in place, the technical actuality of “delivery-first” platforms is leaving affected person knowledge uncovered.
The “Silent Fallback” Danger in Main Platforms
For a lot of IT leaders, probably the most alarming discovering is the function of ubiquitous platforms. The report notes that 52% of email-related breaches in 2025 concerned Microsoft 365. The vulnerability lies in how these platforms deal with transmission failures. When a recipient’s server doesn’t help fashionable TLS protocols (TLS 1.2 or larger), platforms like Microsoft 365 and Google Workspace typically default to a “silent fallback”. They prioritize delivering the message over sustaining safety, transmitting the e-mail in plain textual content somewhat than bouncing it again.
Crucially, this occurs with out alerting the sender. A corporation can have encryption “enabled” of their settings and nonetheless endure a reportable breach as a result of the platform negotiated all the way down to an insecure protocol to make sure supply.
The Dying of the Safe Portal
To mitigate transmission dangers, many well being techniques depend on safe portals. Nevertheless, the report argues that portals remedy the safety requirement by making a usability disaster. Information from the Nationwide Library of Medication cited within the report signifies that 65% of portal customers cease partaking after day one. The friction of making logins and coming into codes causes sufferers and suppliers to bypass these techniques completely, typically resorting to unsecure workarounds to get data the place it must go sooner.
“Portals meet the safety requirement however fail the usability take a look at,” the report states, noting that 22% of customers cite issue navigating primary features.
OCR 2025: From Coverage to Proof
The stakes for these technical failures are about to rise considerably. The Workplace for Civil Rights (OCR) has proposed main updates to the HIPAA Safety Rule in 2025. The proposed modifications would reclassify encryption of ePHI from an “addressable” implementation specification to a “required” safeguard. Beneath the 2013 guidelines, “addressable” gave organizations flexibility; the brand new rule would mandate encryption as a baseline expectation.
Moreover, the shift is transferring from policy-driven compliance to proof-driven accountability. Organizations might want to produce audit logs verifying that encryption safeguards had been utilized to each outbound message containing PHI.
The Human Issue: Automated vs. Guide
The report concludes that reliance on human conduct—equivalent to typing “Safe” in a topic line—is a assured failure level. 82% of healthcare IT leaders admit they fear workers will miss a crucial safety step.
In a single cited enforcement motion, a clinic was fined $25,000 merely for sending PHI to the fallacious recipient through unencrypted e mail. As Hoala Greevy, CEO of Paubox, notes, “For those who’re dealing with PHI with out encryption or a BAA in place, you’re creating legal responsibility”.
The business consensus is shifting towards “encryption-by-default,” the place safety is utilized mechanically on the gateway stage, eradicating the choice from the person completely and guaranteeing that no message leaves the community with out verifiable safety.
