diff --git a/client/data/data.go b/client/data/data.go
index e4b9943..f156b8e 100644
--- a/client/data/data.go
+++ b/client/data/data.go
@@ -154,6 +154,9 @@ func DecryptHistoryEntry(userSecret string, entry shared.EncHistoryEntry) (Histo
 	if err != nil {
 		return HistoryEntry{}, nil
 	}
+	if decryptedEntry.EntryId != "" && entry.EncryptedId != "" && decryptedEntry.EntryId != entry.EncryptedId {
+		return HistoryEntry{}, fmt.Errorf("rejecting encrypted history entry that contains mismatching IDs (outer=%s inner=%s)", entry.EncryptedId, decryptedEntry.EntryId)
+	}
 	return decryptedEntry, nil
 }