Microsoft and Google encryption flaws silently expose healthcare data, reveals new Paubox report

A landmark encryption vulnerability report published by Paubox, a San Francisco-based HIPAA-compliant email provider, has uncovered serious failings in email security protocols used by Microsoft 365 and Google Workspace—two of the world’s most widely adopted enterprise cloud email platforms. The report, titled How Microsoft and Google Put PHI at Risk, reveals that under real-world conditions, both services transmit emails using outdated or insufficient encryption without notifying users, silently putting regulated data such as protected health information (PHI) at risk of unauthorized access.

The June 2025 report is particularly significant for regulated sectors like healthcare, where secure transmission of sensitive records is legally mandated. Despite claims of compliance, Microsoft and Google’s platforms were found to degrade encryption quality or bypass it entirely when faced with non-compliant or outdated recipient systems—an everyday scenario in fragmented digital environments.

What encryption vulnerabilities were discovered in Microsoft 365 and Google Workspace by Paubox in 2025?

The findings were based on a series of simulated healthcare communication scenarios conducted by Paubox’s internal research team. These simulations involved sending messages from Microsoft 365 and Google Workspace to outdated or misconfigured email servers, mimicking the common conditions found in medical provider networks and vendor ecosystems.

During the simulations, Microsoft 365 was observed transmitting emails in cleartext—completely unencrypted—whenever encryption negotiation failed. This delivery occurred without warning, error notifications, bounce messages, or user-facing logs. Messages appeared to be sent successfully, despite being readable in transit by unauthorized parties.

Meanwhile, Google Workspace continued to transmit messages using obsolete encryption protocols, specifically Transport Layer Security (TLS) versions 1.0 and 1.1. These standards have long been deprecated due to known vulnerabilities and are explicitly prohibited by both the U.S. National Security Agency (NSA) and the Internet Engineering Task Force (IETF) under RFC 8996.

The only way to confirm the failure was by manually inspecting the message headers, where evidence of encryption downgrade or plaintext delivery was deeply buried. Most end users, administrators, and even compliance auditors would be unaware that the messages were not properly secured.

Why are TLS 1.0 and TLS 1.1 considered inadequate for secure enterprise communications?

TLS 1.0 and 1.1 were once standard cryptographic protocols used to secure web and email traffic, but they have since been deemed unsafe due to their susceptibility to interception and downgrade attacks. These protocols lack support for modern cryptographic algorithms, making it easier for attackers to decrypt or tamper with messages in transit.

The NSA, in its 2021 bulletin Eliminating Obsolete TLS, issued strong guidance that continued use of these protocols gives organizations a “false sense of security” because messages may appear to be encrypted when, in fact, they are still vulnerable to attack. The agency explicitly warned that transmission using deprecated protocols violates best practices for national security and regulatory compliance.

The IETF further mandated the deprecation through RFC 8996, stating unequivocally that TLS 1.0 and 1.1 “MUST NOT be used.” Paubox’s findings suggest that Google Workspace disregards this mandate during certain email transmission events, maintaining compatibility at the expense of secure encryption.

How does silent encryption failure in enterprise email impact legal compliance in healthcare and regulated industries?

The most alarming aspect of Paubox’s findings is not simply that encryption fails—it’s that it fails without any visible sign to users, administrators, or compliance monitors. Messages appear to be delivered normally, with no error codes, rejection notices, or notifications. This silent failure poses a regulatory minefield for organizations who believe they are operating within compliance standards, only to discover after the fact that sensitive data was sent unencrypted.

In healthcare, this could constitute a HIPAA violation if PHI is exposed to unauthorized parties, even unintentionally. HIPAA’s data transmission rules require that health information be encrypted in transit unless a secure alternative is demonstrably in place. The law allows for heavy penalties, with fines ranging from USD 100 to over USD 50,000 per violation, potentially accumulating to USD 1.5 million per year per compliance category.

The same issues extend to other regulated sectors. Financial services, legal practices, and government contractors all rely on email to transmit sensitive data. If those messages are silently exposed due to unrecognized encryption downgrades, organizations could be liable under federal, state, or international data privacy regulations such as the General Data Protection Regulation (GDPR) in the European Union.

Why do organizations mistakenly believe Microsoft 365 and Google Workspace provide complete email encryption?

Part of the problem stems from a misalignment between user perception and technical reality. Most organizations assume that toggling on built-in encryption settings in Microsoft or Google environments ensures full compliance. But Paubox’s research shows that these settings are conditional—they work only when the recipient systems also meet modern encryption standards.

When encountering outdated or noncompliant infrastructure—common in multi-vendor ecosystems or legacy environments—Microsoft 365 may default to cleartext delivery without alerting users. Google Workspace, in turn, silently downgrades encryption to insecure TLS versions for the sake of message delivery continuity.

The lack of transparency, logging, and user feedback makes it virtually impossible for compliance teams to detect or remediate these failures. As a result, sensitive information may be routinely exposed under the false assumption of secure transmission.

How is Paubox addressing the secure email needs of HIPAA-covered healthcare institutions?

Founded in 2015, Paubox has built a niche around encrypted email and communication products tailored for healthcare and other compliance-sensitive sectors. Unlike general-purpose cloud email providers, Paubox enforces end-to-end encryption by default, without allowing silent fallback to legacy protocols.

Paubox’s product suite includes the Paubox Email Suite, Paubox Marketing, Paubox Email API, Paubox Texting, and Paubox Forms, all of which are designed to provide tamper-resistant encryption with visible audit trails. The company currently supports more than 6,000 healthcare organizations, including high-profile clients like AdaptHealth, Cost Plus Drugs, and Covenant Health.

In 2025, Paubox was ranked at the top of several G2 software categories, including Best Secure Email Gateway, Best HIPAA-Compliant Messaging Software, and Best Email Encryption Solution. It is also the only secure email provider featured in G2’s list of 2025 Best Healthcare Software Products.

What strategic guidance does Paubox offer to IT leaders and compliance teams after these revelations?

In light of the findings, Paubox recommends that organizations stop assuming encryption is functioning correctly and instead adopt proactive testing. The company has published detailed instructions for conducting test messages, analyzing message headers, and identifying encryption downgrade scenarios in the field.

According to the report, organizations should regularly test email delivery to known noncompliant servers, monitor TLS versions used in message headers, and implement third-party enforcement solutions that prevent email from being sent without proper encryption. Paubox argues that only by taking control of transmission layers can IT leaders ensure HIPAA and regulatory compliance under real-world conditions.

The full 2025 encryption failure report is available to the public via Paubox’s research portal at https://hubs.la/Q03tg5-k0, including annotated screenshots and a complete methodology for replication and audit.

What is the institutional sentiment toward Microsoft and Google following Paubox’s security report?

Although there has been no immediate market impact on Microsoft (NASDAQ: MSFT) or Alphabet (NASDAQ: GOOGL) shares, institutional sentiment around security in SaaS platforms is growing increasingly cautious. Analysts note that while both companies offer scalable and cost-effective collaboration tools, their lack of guaranteed encryption enforcement introduces risk exposure in regulated sectors.

Institutional investors with healthcare and financial portfolios are expected to re-evaluate vendor security assurances, especially in light of increased cyberattacks against hospitals and government agencies. If regulators update encryption compliance expectations based on Paubox’s findings, this could shift enterprise adoption toward vendors that offer encryption-enforced email delivery models.

Analysts further expect upcoming federal agency recommendations—possibly from the Office for Civil Rights or Cybersecurity and Infrastructure Security Agency (CISA)—to underscore the need for transparent, verifiable encryption as a compliance requirement.