An estimated 3 million email addresses may be at risk of exposure to common cyberattacks, such as man-in-the-middle attacks, because email delivery often proceeds even when certificate validation fails. New research from Paubox found that encrypted email is routinely sent to servers with expired or self-signed certificates, preventing reliable verification of the recipient’s identity.

In an analysis of outbound healthcare email traffic, Paubox found that approximately 4.5% of connections were delivered to servers with expired or self-signed certificates. The analysis examined 784,961 unique email outbound email traffic relays used by the healthcare sector.

Transport Layer Security (TLS) is widely relied on to encrypt email in transit. However, TLS depends on digital certificates to establish trust between sending and receiving servers. When certificates are expired or self-signed, encryption may still occur, but the integrity of the connection cannot be proven.

Paubox found that cloud email platforms frequently deliver messages even when certificate validation fails, prioritizing delivery over verification. As a result, sensitive healthcare communications may travel through untrusted paths without triggering alerts or errors for senders.

The issue is compounded by healthcare’s complex vendor ecosystem. Clinics, hospitals, billing companies, imaging services, and managed service providers routinely exchange email containing protected health information (PHI), often using aging or misconfigured infrastructure. According to Paubox’s mid-year breach data, 16% of email-related healthcare breaches in 2025 involved business associates.

“HIPAA doesn’t spell out ‘no self-signed certs’,” the report notes, “but the Security Rule requires organizations to verify the integrity of the connection.”

Paubox’s report outlines how its outbound encryption technology addresses this gap by enforcing certificate validation and automatically switching to secure delivery when certificate trust cannot be established. Unlike traditional TLS-only approaches, this model removes reliance on the recipient’s infrastructure behaving correctly.

The full report, Healthcare’s email security certificate crisis, details the data behind the findings, explains how TLS and certificates work in plain language, and outlines why expired and self-signed certificates pose a growing compliance risk for healthcare organizations.

The report is available at: https://hubs.la/Q03ZRGnG0

About Paubox

Paubox is a leader in HIPAA compliant communication and marketing solutions for healthcare organizations. According to G2 rankings, Paubox leads the industry for Best Secure Email Gateway, Email Security, HIPAA Compliant Messaging Software, and Email Encryption solution, and is the only HIPAA compliant email company listed on G2's 2025 Best Healthcare Software Products. Paubox solutions include Paubox Email Suite, Paubox Marketing, Paubox Email API, and Paubox Forms. Launched in 2015, Paubox is trusted by over 8,000 healthcare organizations, including AdaptHealth, Cost Plus Drugs, and Covenant Health.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260107156514/en/

New research from Paubox found that encrypted email is routinely sent to servers with expired or self-signed certificates, preventing reliable verification of the recipient’s identity.