SAN FRANCISCO–(BUSINESS WIRE)–A new investigative report from HIPAA compliant email provider Paubox has exposed a hidden security failure in Microsoft 365 and Google Workspace, two of the most widely used email platforms. Despite claims of encryption and compliance, both platforms fail under real-world conditions that could expose sensitive information without the sender or receiver knowing.
The report, How Microsoft and Google Put PHI at Risk, details a series of controlled experiments in which messages sent from both platforms were delivered either using obsolete encryption protocols or unencrypted in cleartext. In all test cases, the sender was never notified of the failure—there was no bounce, no alert, and no visible log.
A test of real-world encryption
The Paubox research team simulated how email behaves when sent to outdated or noncompliant servers—a realistic scenario in healthcare, where digital infrastructure is often fragmented across clinics, vendors, and legacy systems.
- Google Workspace still transmits emails using obsolete encryption protocols like TLS 1.0 and TLS 1.1—versions explicitly prohibited by the NSA.
- Microsoft 365 silently delivers emails in cleartext when encryption cannot be negotiated, exposing sensitive data to potential interception with no warning to senders or recipients.
- In both cases, there was no bounce, no alert, and no audit trail. The only evidence was buried in the message headers.
- Outdated TLS configurations and certificate mismanagement are consistently listed among the top security risks, even in API environments.
Critically, these weren’t configuration mistakes.
Cleartext delivery and outdated encryption put data at risk
This isn’t just a healthcare problem. Any organization relying on Microsoft 365 or Google Workspace for email encryption could be unknowingly exposing sensitive information. These platforms do not consistently enforce strong encryption, and many IT teams are unaware of the gaps.
“Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not.” – NSA, Eliminating Obsolete TLS, 2021
These flaws violate the NSA’s guidance to eliminate TLS 1.0 and 1.1, and directly contradict RFC 8996, which states that outdated protocols “MUST NOT be used.”
With no audit trail, no bounce, and no alert, messages appear to be protected, even when they’re not.
When encryption fails, organizations are left vulnerable to regulatory violations, legal action, and reputational damage, even when they believe they’ve done everything right.
Next steps for IT and compliance teams
Paubox urges IT leaders to stop assuming encryption is working and start testing it for themselves. The report walks through the testing process in detail and includes annotated message header examples that show what encryption downgrade looks like in practice.
The full report is available now at https://hubs.la/Q03tg5-k0.
About Paubox
Paubox is a leader in HIPAA compliant communication and marketing solutions for healthcare organizations. According to G2 rankings, Paubox leads the industry for Best Secure Email Gateway, Email Security, HIPAA Compliant Messaging Software, and Email Encryption solution, and is the only HIPAA compliant email company listed on G2’s 2025 Best Healthcare Software Products. Paubox solutions include Paubox Email Suite, Paubox Marketing, Paubox Email API, Paubox Forms, and Paubox Texting. Launched in 2015, Paubox is trusted by over 6,000 healthcare organizations, including AdaptHealth, Cost Plus Drugs, and Covenant Health.
Contacts
Media Contact:
Dawn Halpin
press@paubox.com
