SAN FRANCISCO–(BUSINESS WIRE)–An estimated 3 million email addresses may be at risk of exposure to common cyberattacks, such as man-in-the-middle attacks, because email delivery often proceeds even when certificate validation fails. New research from Paubox found that encrypted email is routinely sent to servers with expired or self-signed certificates, preventing reliable verification of the recipient’s identity.
New research from Paubox found that encrypted email is routinely sent to servers with expired or self-signed certificates, preventing reliable verification of the recipient’s identity.
In an analysis of outbound healthcare email traffic, Paubox found that approximately 4.5% of connections were delivered to servers with expired or self-signed certificates. The analysis examined 784,961 unique email outbound email traffic relays used by the healthcare sector.
Transport Layer Security (TLS) is widely relied on to encrypt email in transit. However, TLS depends on digital certificates to establish trust between sending and receiving servers. When certificates are expired or self-signed, encryption may still occur, but the integrity of the connection cannot be proven.
Paubox found that cloud email platforms frequently deliver messages even when certificate validation fails, prioritizing delivery over verification. As a result, sensitive healthcare communications may travel through untrusted paths without triggering alerts or errors for senders.
The issue is compounded by healthcare’s complex vendor ecosystem. Clinics, hospitals, billing companies, imaging services, and managed service providers routinely exchange email containing protected health information (PHI), often using aging or misconfigured infrastructure. According to Paubox’s mid-year breach data, 16% of email-related healthcare breaches in 2025 involved business associates.
“HIPAA doesn’t spell out ‘no self-signed certs’,” the report notes, “but the Security Rule requires organizations to verify the integrity of the connection.”
Paubox’s report outlines how its outbound encryption technology addresses this gap by enforcing certificate validation and automatically switching to secure delivery when certificate trust cannot be established. Unlike traditional TLS-only approaches, this model removes reliance on the recipient’s infrastructure behaving correctly.
