• The Supper
  • Posts
  • Email Security Failures Put Healthcare at Risk

Email Security Failures Put Healthcare at Risk

Author

Supper Team
December 10, 2025

In partnership with

Learning Course GIF by FourSquare Training

A recent Paubox report shows email remains the leading cause of HIPAA breaches, with 107 incidents in the first half of 2025 alone. The findings highlight a dangerous flaw in widely used platforms like Microsoft 365 and Google Workspace: they prioritize message delivery over security. When encryption fails, these systems often default to sending emails in plain text—without notifying the sender—leaving patient data exposed.

Learn how to make every AI investment count.

Successful AI transformation starts with deeply understanding your organization’s most critical use cases. We recommend this practical guide from You.com that walks through a proven framework to identify, prioritize, and document high-value AI opportunities.

In this AI Use Case Discovery Guide, you’ll learn how to:

  • Map internal workflows and customer journeys to pinpoint where AI can drive measurable ROI

  • Ask the right questions when it comes to AI use cases

  • Align cross-functional teams and stakeholders for a unified, scalable approach

Delivery-First Platforms: A Hidden Risk

Over half of reported breaches involved Microsoft 365. The problem isn’t the absence of tools, but the way platforms silently “fall back” to insecure protocols. Even with encryption enabled, organizations can unknowingly transmit unprotected PHI, creating liability.

Portals vs. Usability

Secure portals were designed to solve transmission risks, but they introduce usability barriers. Studies show 65% of patients stop using portals after the first day, frustrated by logins and codes. This friction drives users back to insecure workarounds.

Rising Regulatory Pressure

The Office for Civil Rights (OCR) plans to make encryption a required safeguard under HIPAA in 2025, shifting compliance from policy statements to proof. Organizations will need audit logs showing encryption was applied to every outbound message.

Human Error and Enforcement

Manual safeguards—like typing “Secure” in subject lines—are unreliable. In one case, a clinic was fined $25,000 for sending PHI unencrypted to the wrong recipient. With 82% of IT leaders worried staff will miss critical steps, the industry is moving toward encryption-by-default, applied automatically at the gateway level.

Reply

or to participate.