LuxSci

Menu
Contact us
Login

Are Replies to Encrypted Emails also Secure?

replying to an email

Sending HIPAA-compliant emails is easy when you use an encryption solution like LuxSci. But what happens when someone replies to an encrypted message? Are the replies also secure? This is primarily a concern when using SMTP TLS as a secure means of email delivery. 

This article will explain how messages are sent securely, how replies behave, and whether they are secure and compliant. At the end, we provide some recommendations for how to balance security and usability. 

How are HIPAA-compliant Secure Emails Sent?

In general, there are four ways to securely send HIPAA-compliant email messages to a recipient. The way the original message is encrypted will determine the nature of how secure the reply is.

PGP and S/MIME Encryption

LuxSci supports these highly secure email encryption methods for those who wish to use them. However, as they require more setup and coordination with your recipients, most HIPAA-compliant accounts use something other than PGP and S/MIME for business email communications. 

To send messages using PGP and S/MIME encryption, you must exchange certificates with the recipient and install them in the mail client to encrypt and decrypt messages. Some organizations will use this technology for internal communications because they can manage the setup. However, this method is impractical for securing large-scale external communications. When most people talk about encrypted email messages, they refer to one of the methods: secure web portal or SMTP TLS encryption.

Secure Web Portal Encryption

Messages that utilize the secure web portal method of encryption are secured, stored, and accessed via a secure database. It works like this. The sender’s message is sent to a secure web portal, and a simple notification message (that does not contain PHI) is sent to the recipient. The recipient clicks on a link in this notice, verifies their identity by logging in, and then can access the message within the portal.

This is very secure and works with any recipient’s email address. However, accessing the message requires extra work on the recipient’s part. They must log into the portal to read the secure message.

SMTP TLS Encryption

Messages encrypted with SMTP TLS appear like any other email in the recipient’s inbox. They are only encrypted as they are transmitted from the sender’s servers to the recipient’s servers. Unless the recipient knows where to look in the metadata, they may not know TLS-encrypted messages are secured at all. 

Unlike secure web portal encryption, which can send encrypted messages to any active email address, SMTP TLS can only be used to secure messages if the recipient’s email service supports the technology. Today, the majority of email providers support TLS. However, some older email service providers do not. If the recipient’s servers do not support TLS, you cannot send them encrypted messages using this technology.

Are Replies to Encrypted Emails Also Encrypted?

That brings us back to our original question: are replies to encrypted emails also secured? The answer will depend on what type of encryption was initially used. When your recipient replies to your HIPAA-compliant secure email message, here is what could happen: 

PGP and S/MIME Replies

We won’t spend much time discussing PGP and S/MIME, but we will answer the question. Replies to email messages secured with PGP and S/MIME encryption will also be encrypted, assuming all certificates are correctly configured.

Secure Web Portal Replies

Most secure web portals offer an option for the recipient to reply directly within the portal. If the recipient replies in the portal, the message is automatically secured with the same high level of encryption it was sent with.

However, we can’t assume that the recipient will use the portal to reply. Some people could use their email program to reply to the notification message instead of using the portal. In that case, the reply may or may not be secure, depending upon whether their email system supports TLS or other email security measures. It’s best to assume these replies to the notification message will be insecure.

Replies to SMTP TLS Messages

When a recipient replies to an email sent using SMTP TLS, they use their regular email system to send that message. This may or may not be secure, depending on whether their email system supports TLS or other email security measures. For HIPAA compliance reasons, you should assume that the message will be sent insecurely.

are replies also secure graphic

If the Reply to an Encrypted Message is Insecure, Is the Email Non-Compliant?

That leads us to an interesting follow-up question- if replies to encrypted messages are not secure, does this mean the system is non-compliant?

The short answer is: No.

Why? HIPAA only applies to covered entities and their business associates. To comply with HIPAA regulations, these organizations must properly secure any PHI transmitted or stored in their systems. Patients are not subject to HIPAA regulations. 

The patient can choose to send their information insecurely or use alternate channels like a phone call or in-person appointment to communicate their health information if concerned about the security of their account. When a patient replies to a message from their healthcare provider, they are transmitting their own information and do not have to do so securely.

Should SMTP TLS be Used to Send HIPAA-Compliant Secure Emails?

HIPAA is notoriously technology-neutral. It tells you what to do but not how to do it. As a result, what is minimally required and what is best are sometimes very different things. Because of that, customers have a wide range of expectations for how they would like things to work. 

At LuxSci, HIPAA-compliant email accounts have SMTP TLS enabled automatically, so every message is sent with a base level of encryption. This is for maximum usability. Customers can turn off SMTP TLS as the sole method of secure email delivery or use it only for selected recipients (like their co-workers). It is up to the customer to choose which encryption methods they think are best for their organization. At a minimum, using TLS is better than using no encryption, but each organization will have different requirements and risk factors.  

There are no compliance reasons why SMTP TLS should not be used. Still, organizations may want to reduce their risk by increasing the level of encryption when sending communications that contain PHI to patients.

Recommended Best Practices For Sending HIPAA-Compliant Secure Emails

The best practices for security are often at odds with the best user experience. This is often true in security and HIPAA compliance. Finding the right balance of security and usability is essential to protect patient data and meet business objectives. Utilizing TLS for some emails and secure web portal encryption for others is likely the best solution. When spreading awareness and engaging patients with low-sensitivity messages like appointment and vaccine reminders is the goal, using TLS (with some fallback or exclusion to avoid sending insecurely) is likely the right idea. When sending highly sensitive information like lab results, medical records, or billing statements, using a more secure form of encryption, like a secure web portal, is wise to reduce the risk of inappropriate disclosures. 

Contact our sales team today to learn more about LuxSci’s flexible and secure HIPAA-compliant email options.

Get in touch

Find The Best Solution For Your Organization

Talk To An Expert & Get A Quote




A member of our staff will reach out to you

Follow us on LinkedIn

Search

Search

Category

Recent Posts

Get Your Free E-Book!

LuxSci High Email Deliverability Best Practices Paper

What you’ll learn:

  • How to opitmize email performance
  • Key strategies to increase email deliverability rates
  • How email deliverability impacts marketing ROI

Enter your email to download now!

We respect your privacy. No spam, ever.

Related Posts

healthcare marketing

How Automated Workflows Boost Engagement for Healthcare Marketing Campaigns

Due to the fact that it’s simple, instantaneous, cost-effective, and nearly universally adopted, email is an essential part of all healthcare marketing engagement strategies. However, consistent, personalized email engagement – particularly at scale – can be challenging. 

 

Fortunately, Automated Workflows offer a solution, allowing healthcare companies to deliver the right messages to the appropriate individuals at the right time, based on their individual engagement with emails.. 

 

In this post, we’ll explore the concept of Automated Workflows, the considerable benefits they offer healthcare companies, and the variety of ways they can be used to increase engagement and result in greater satisfaction and better healthcare outcomes for your patients and customers.

What Are Automated Workflows?

An Automated Workflow is a sequence of actions, known as’ Steps’ in LuxSci Secure Marketing, that a Contact (i.e., a patient or customer) moves through over time, based on a series of pre-defined rules or triggers. 

 

Each Step is programmed to automatically perform a specific function, such as sending an email or updating a Contact, when certain conditions are in place. These conditions could include: 

  • A Contact opening a message.
  • A Contact clicking through on a link.
  • A specified amount of time having elapsed.. 
  • A data update via an API call

By evaluating conditions to initiate the appropriate Step, Automated Workflows facilitate more timely, consistent, and personalized communication with Contacts (patients and customers ). As a result, healthcare companies can effectively harness Automated Workflows to develop dynamic, personalized email engagement journeys that adapt according to your patients and customers’ needs and prior interactions.

What Are the Benefits of Automated Workflows?

Let’s look at the various advantages that Luxsci Automated Workflows offer. 

Reduced Administrative Workload

Arguably, the most significant benefit of Automated Workflows is the extent to which they lower the administrative burden of email engagement campaigns for healthcare organizations. 

 

First and foremost, Automated Workflows eliminate the need for an employee to manually send your Contacts messages. As well as the manual effort, it removes a great deal of thought from the process – as someone isn’t required to remember to send an email. 

 

By the same token, this reduces the scope for human error, preventing the possibility of an employee neglecting to send an important message, sending it to the wrong person, or worse, accidentally exposing patient data, i.e., electronic protected health information (ePHI). 

 

The effort that Automated Workflows reduce is typically repetitive work that staff are glad to be free of, giving them additional time to focus on tasks that provide greater value and better contribute to better patient care and/or the customer experience. 

Enhanced Scalability

The time saved by employing Automated Workflows increases with the size of your Contact List and the scale of your engagement campaigns. In fact, enterprise-scale campaigns, with volumes of hundreds of thousands to millions of emails, are only feasible through the use of automation. 

 

Similarly, Automated Workflows enable healthcare organizations to run differing, personalized email campaigns aimed at unique patient or customer segments.  As well as automatically sending each message at the appropriate time, they provide tracking capabilities to determine the outcome of each message. 

Increased Consistency in Communication

Because Automated Workflows remediate the risk of emails going unsent, they facilitate more timely and consistent communications with patients and customers. This makes healthcare providers, payers, and suppliers appear more reliable and consistent, building trust and greater levels of satisfaction from Contacts. More importantly, recipients are better able to track what’s happening with their healthcare and assume a more proactive role overall healthcare journey..

 

Finally, creating an Automated Workflow requires healthcare organizations to carefully consider how they communicate with different Contact segments. Namely, the likely journey, or communication path, different types of Contacts take, i.e., information they need to know at a particular stage in their healthcare journey, the optimal order in which information needs to be presented, etc. This allows healthcare companies to become more in-tune with their patients’ and customers’ needs, enabling them to craft more valuable email communications that boost engagement. 

Personalized Healthcare Engagement 

Perhaps the most significant benefit of Automated Workflows is that they enable adaptive, personalized engagement for healthcare marketing and communications campiagns. Instead of manually tracking where each Contact is in a given engagement sequence, or worse, merely having to guess, you know precisely where they are. Consequently, you’re acutely aware of their needs and the exact nature of the emails you need to send them next. 

 

This, in turn, enables more effective Contact nurturing, i.e, strengthening your organization’s connection with each individual. When at its most effective, this may allow you to anticipate your Contacts’ needs, enabling you to send them communications, such screening or testing recommendations, educational materials, or product and service suggestions, that support their healthcare journey and enhance their quality of care.

Automated Workflow Use Cases

Automated Workflows are a powerful tool for increasing healthcare marketing and communications engagement because they can be applied to a wide range of use cases. Let’s take a look at some of the most common and impactful ways email automation can be used by healthcare companies. 

  • New Product Announcements: keeping patients and customers in the loop on your company’s latest offerings, as well as improvements to existing products and services that are likely to be of interest, based on their data and past actions.
  • Personalized recommendations: suggesting products or services based on the recipient’s past purchases or engagement history.
  • Re-Engagement Campaigns: Automated Workflows can also be used to reconnect with Contacts with whom engagement has waned or was never completely established, sending them personalized messages to encourage specific actions or reignite interest.
  • New Member Onboarding: welcoming new patients or customers  with a structured series of emails that introduces your services, provides technical assistance (where applicable), details subsequent steps, and explains how to get the most value from your products or services. 
  • Appointment Reminers and Follow-Ups: sending reminders, care instructions, medication adherence advice, or details on how to book subsequent appointments, for instance, after a patient visit. 
  • Patient Education Campaigns: taking patients through a structured curriculum on managing their medical condition or required  lifestyle changes to improve their health..
  • Preventative Care Communications: proactively sending reminders for screenings, check-ups, vaccinations, etc., based on PHI such as a patient’s age, gender, health condition or lifestyle risk factors.
  • Milestone Communications: sending personalized messages to acknowledge birthdays, enrollment anniversaries, and other pertinent dates. These can also be combined with preventative care communications, to send recommendations or other advice, based on the contact’s age, for instance.  
  • Feedback Collection: acquiring patient and customer feedback by sending follow-up surveys a set amount of time after a visit, procedure, purchase, etc. 

How Automated Workflows Work in LuxSci Secure Marketing

To round off this post, let’s take a deeper look at how Automated Workflows work within LuxSci’s Secure Marketing solution. LuxSci’s Automated Workflows enhance your organization’s HIPAA compliant healthcare marketing and email campaigns by giving you complete control of:

 

  • When each email is sent
  • Which Contacts receive particular communications according to their behavior, needs, and other PHI-based attributes
  • Which engagement path or branch a Contact takes based on their email actions

Here’s a look at LuxSci’s Automated Workflows key capabilities in greater detail. 

Smart Event-Based Branching and Conditions

You can branch Workflows to trigger targeted messaging based on a Contact’s attributes or certain engagement events, resulting in more relevant and effective healthcare journeys  with more desirable outcomes.

  • User actions:
    • Mailing list sign-ups
    • Form completion
    • Downloading a resource.
  • Time-based triggers:
    • A set period after a visit or procedure 
    • A defined period of inactivity or lack of contact
    • Milestones, e.g., birthdays, anniversaries. 
  • Behavioral triggers:
    • Email opens
    • Clicking on links
    • Visiting particular pages on a site or 
    • A lack of engagement with previous emails.
  • Transactional triggers:
    • Purchasing a product or service
    • Signing up for an event
    • Order confirmations or shipping updates after a purchase.
  • API-triggered events
    • Lab results or similar correspondence becoming available
    • Changes to data in EHR systems, CDP platforms, or CRM systems.. 

Automated Segment Management 

Automated Workflows can be used to dynamically add Contacts to segments based on demographics, past behavior, purchase history, and similar events. This enables more precise targeting and email personalization as they progress through specific Steps in each Workflow. 

Navigation Across Steps

Automated Workflows are also capable of navigating Contacts across different Steps or completely different Workflows depending on engagement outcomes and updates to a Contact’s PHI. Better still, if a Step has already been visited, LuxSci Secure Marketing automatically prevents repetition and infinite loops.

Automate Your Healthcare Marketing and Engagement Efforts

LuxSci Secure Marketing is a HIPAA compliant healthcare marketing solution especially designed for the stringent security and regulatory requirements of the healthcare industry. Our solution enables healthcare organizations to confidently communicate with patients and customers at scale without risking compliance violations, driving increased engagement and boosting the ROI of their marketing campaigns in the process. 

 

The latest version of LuxSci’s Secure Marketing solution with Automated Workflow functionality streamlines your company’s outreach efforts, saving considerable time, reducing human effort, and facilitating intelligent Contact management. 

What’s more, LuxSci’s reporting capabilities empower you to carefully track the results of your healthcare engagement campaigns, gaining insights at every step, including:

  • Which Contacts received particular messages
  • Who engaged with email communication, and how
  • Precise points where drop-offs in engagement occur
  • The engagement achieved with each Step in the Workflow

To learn more about LuxSci’s Secure Marketing solution and how Automated Workflows boost engagement for your healthcare marketing and communications campaigns, contact us today.

 

Read More
Healthcare marketing plan

How To Create a Healthcare Marketing Plan?

A healthcare marketing plan establishes strategic promotional activities, target audience identification, budget allocation, and compliance protocols to attract new patients while adhering to HIPAA privacy regulations and state advertising laws. Medical practices develop these documents to guide their promotional efforts across digital platforms, traditional media, and community outreach programs, ensuring all patient acquisition activities comply with healthcare privacy requirements and professional advertising standards.

Medical practices compete intensely for patient attention in saturated healthcare markets. Developing promotional strategies without proper planning leads to wasted resources, compliance violations, and missed opportunities to connect with patients who need specific medical services.

Target Audience in Healthcare Marketing Plan Development

Patient demographic research identifies age groups, geographic locations, insurance coverage types, and medical conditions that align with practice specialties and service offerings. Healthcare organizations analyze existing patient data to understand referral patterns, appointment scheduling preferences, and communication channel effectiveness for different population segments.

Competitor analysis reveals promotional strategies used by similar practices, pricing structures for comparable services, and market gaps that create opportunities for differentiation. This research helps practices position their services uniquely while avoiding oversaturated promotional approaches that fail to generate meaningful patient engagement.

Budget Allocation

Financial planning allocates resources across promotional channels based on expected return on investment, patient acquisition costs, and practice revenue goals. Digital advertising usually receives 40-60% of promotional budgets due to measurable results and targeted audience capabilities, while traditional media and community events receive smaller allocations.

Compliance costs including legal reviews, authorization management, and privacy training must be factored into promotional budgets to ensure all activities meet regulatory requirements. Practices that underestimate compliance expenses often discover their promotional activities violate privacy laws or professional advertising standards.

Digital Strategy to Drive Modern Patient Acquisition

Website optimization, search engine marketing, and social media presence are the core of contemporary promotional efforts outlined in every healthcare marketing plan. Practices invest in professional website design, patient portal integration, and mobile-responsive layouts to capture patients researching medical services online.

Content creation including blog posts, educational videos, and patient resources helps establish expertise while providing valuable information to potential patients. However, all content must avoid using patient information without authorization and cannot make unsubstantiated medical claims that violate advertising regulations.

Compliance Integration Protects Promotional Activities

HIPAA authorization procedures, business associate agreements with promotional vendors, and state advertising law compliance must be woven throughout every aspect of promotional planning. Healthcare marketing plan development includes legal review processes, privacy impact assessments, and staff training protocols to prevent violations.

Documentation requirements for promotional activities include consent forms, vendor contracts, and approval workflows that demonstrate compliance with healthcare privacy laws. Practices without proper documentation face significant penalties when regulatory investigations uncover promotional activities that violate patient privacy protections.

Community Outreach Builds Local Patient Relationships

Health fairs, educational seminars, and community partnerships create opportunities for practices to connect with potential patients through face-to-face interactions. These activities require planning to ensure patient privacy protection while maximizing promotional impact through relationship building and trust development.

Referral programs with other healthcare providers, local businesses, and community organizations can generate new patient leads when structured appropriately. Any financial incentives for referrals must comply with healthcare fraud and abuse laws to avoid legal complications.

Performance Measurement Guides Strategy Optimization

Patient acquisition metrics, appointment conversion rates, and promotional channel effectiveness data help practices evaluate their promotional success and adjust strategies accordingly. Healthcare marketing plan implementation includes tracking systems for website traffic, phone inquiries, and new patient appointments generated by different promotional activities.

Return on investment calculations compare promotional spending with revenue generated from new patients to determine which activities provide the best financial results. Practices use this data to reallocate budgets toward high-performing promotional channels while eliminating ineffective strategies.

Implementation Timeline

Monthly promotional calendars coordinate campaign launches, content publication schedules, and community event participation to maximize promotional impact while avoiding resource conflicts. Healthcare marketing plan execution requires detailed project management to ensure all activities launch on schedule and within budget constraints. Seasonal considerations including flu shot campaigns, wellness check promotions, and holiday health messaging opportunities require advance planning to capitalize on increased patient interest during specific time periods. Practices that plan these campaigns well in advance may achieve better results than those that react to opportunities without preparation.

Read More
HIPAA Marketing Rule

What Does the HIPAA Marketing Rule Require?

The HIPAA marketing rule prohibits healthcare organizations from using protected health information for promotional communications without written patient authorization, defining promotional activities as communications that encourage patients to purchase products or services with financial benefit to the sender. Organizations can send treatment-related communications, appointment reminders, and health plan benefit descriptions without authorization, but any communication promoting third-party products, paid services, or revenue-generating activities requires explicit patient consent through properly executed authorization forms.

Healthcare providers regularly find themselves struggling with acceptable patient education and prohibited promotional activities. A simple newsletter about diabetes management becomes problematic when it includes advertisements for glucose monitors or pharmaceutical products that generate revenue for the practice.

The HIPAA Marketing Rule Authorization Framework

Patient authorization documents must contain sixteen specific elements including detailed descriptions of information to be disclosed, identification of recipients, expiration dates, and explanations of revocation rights. These forms cannot be combined with other consent documents and must use plain language that patients can easily understand. Healthcare organizations face penalties when authorization forms lack required elements or contain overly broad permission language.

Patients retain the right to revoke authorization at any time, forcing organizations to immediately cease all promotional activities involving that individual’s information. Organizations cannot condition treatment, payment, enrollment, or benefits eligibility on patients providing authorization for promotional purposes, creating clear separation between healthcare services and commercial activities.

Treatment Communications Bypass Marketing Restrictions

Healthcare organizations can discuss treatment alternatives, medication options, and care coordination services without obtaining separate authorization because these communications serve legitimate healthcare purposes rather than commercial interests. Appointment scheduling, test result notifications, and prescription refill reminders fall under treatment or healthcare operations exemptions from marketing regulations.

Face-to-face communications between providers and patients about treatment options is unrestricted, even when providers receive financial benefits from recommended treatments or services. Written materials distributed during these encounters may trigger authorization requirements if they promote specific products or services beyond the immediate treatment relationship.

Financial Incentive Distinctions Shape HIPAA Marketing Rule Compliance

Communications become subject to the HIPAA marketing rule when healthcare organizations receive financial remuneration from third parties for promoting their products or services. Pharmaceutical company payments for promoting medications, medical device manufacturer incentives, or referral fees from specialty services transform otherwise acceptable communications into restricted promotional activities.

Organizations must examine their financial relationships carefully to determine when communications cross from permissible healthcare operations into restricted promotional territory. Even nominal payments or gifts from third parties can trigger marketing authorization requirements for communications that mention or promote those parties’ products or services.

Business Associate Relationships Complicate Marketing Activities

Vendors creating promotional materials, managing patient outreach campaigns, or analyzing treatment data for commercial purposes need business associate agreements before accessing PHI. These relationships are difficult if the promotional vendors also provide healthcare services or when healthcare organizations share revenue from marketing activities with their business partners.

Organizations must negotiate appropriate contractual protections and ensure vendors understand their obligations under the HIPAA marketing rule before beginning any collaborative promotional activities. Liability for vendor violations remains with the covered entity, making careful partner selection and monitoring essential for maintaining compliance.

Digital Platforms & Modern Marketing Compliance Challenges

Social media advertising, email campaigns, and online retargeting involve sharing patient information with technology platforms that lack appropriate privacy protections. Healthcare organizations cannot upload patient contact lists, demographic details, or treatment information to advertising platforms without proper authorization and business associate agreements covering those platforms.

Website analytics, social media pixels, and advertising tracking technologies may inadvertently capture and transmit PHI to third-party platforms without appropriate protections. Organizations need controls to prevent accidental information sharing while still enabling effective digital marketing activities within compliance boundaries.

Enforcement Penalties Reflect Serious Violation Consequences

Recent Office for Civil Rights enforcement actions have resulted in multi-million dollar settlements for organizations that used patient information in marketing materials without authorization or shared PHI with advertising vendors without appropriate agreements. These cases highlight increasing federal scrutiny of healthcare promotional activities and willingness to impose substantial financial penalties.

Violations may stem from seemingly innocent activities like patient newsletters, social media posts, or website testimonials that inadvertently disclosed PHI without proper authorization. Organizations discover that good intentions cannot shield them from penalties when their marketing activities violate patient privacy protections under the HIPAA marketing rule.

Compliance Programs Minimize Violation Risks

Healthcare organizations benefit from establishing clear review processes for all promotional materials and patient communications before distribution. Designated privacy personnel can evaluate whether proposed communications require authorization, involve business associate relationships, or create other compliance risks under marketing regulations.

Staff training helps employees recognize the difference between permissible healthcare communications and restricted marketing activities. Education updates keep pace with new promotional channels, emerging technology platforms, and evolving interpretations of the rule’s requirements within changing healthcare and advertising landscapes.

Read More
explanation of benefits

Why Healthcare Insurers Should Send Explanation of Benefits Statements Via Email

Explanation of Benefits statements or EOBs are mission-critical communications for health insurers because they ensure transparency, help detect billing errors or fraud, and most importantly, keep patients informed about their benefits and related payments.

 

However, the most conventional method of sending out EoBs, traditional mail, has several drawbacks that can prevent important information about healthcare coverage from reaching the intended recipient. This can leave policyholders in the dark about their healthcare coverage, which can lead to confusion and dissatisfaction with their insurance provider when they receive an unexpected medical bill. This can also drive up inbound calls into your claims department or contact center.

 

Because Explanation of Benefits statements contain the protected health information (PHI) of policyholders, insurers are bound by HIPAA (the Health Insurance Portability and Accountability Act) regulations to ensure their secure delivery. Consequently, the risks inherent to sending paper EoB statements in the mail not only have security implications but also potential consequences for non-compliance.

 

With all this in mind, this post discusses why healthcare insurers should send EoBs to their policyholders via secure email instead of traditional mail. We detail the various benefits of making the switch to electronic EoBs, which include enhanced security, better adherence to compliance regulations, and the opportunity to save millions of dollars per month.

 

Protecting Patient Privacy

The primary reason that insurance companies should shift to email EoBs as opposed to traditional mail is that it’s far more secure. Sending an EoB via email drastically decreases the risk of protected health information (PHI) getting into the wrong hands. When sent in paper form by mail, an EoB could be:

 

  • Lost, stolen or damaged in transit
  • Delivered to the wrong address
  • Not properly deposited in a letter or mailbox, then stolen
  • Intercepted within the intended address by another individual who lives at or has access to the residence. 

As detailed later in this post, email also allows for various controls and processes, which mitigate the risks of unsuccessful message delivery.

 

Most importantly, secure email provides data encryption, which safeguards the sensitive patient data within EoBs during transmission and when stored by rendering it unreadable to malicious actors who might intercept it. Physical mail, in contrast, offers no such protection, as someone who intercepts a paper EoB form can simply open it and freely read its contents.

 

Finally, secure email delivery platforms feature identity verification and access controls that enable healthcare insurers to restrict access to PHI to authorized personnel, limiting its exposure. They also provide auditing capabilities to track access to patient data, and quickly identify the source of security breaches.

HIPAA Compliance Benefits

Because sending an Explanation of Benefits statement via email is more secure, and better protects any patient data contained within them, this also reduces the risk of HIPAA compliance violations.

 

First and foremost, HIPAA regulations mandate that communications containing PHI, such as EoBs, must securely reach the intended recipient. By eliminating the risk of physical interception or non-delivery, and the compliance violations from a resulting security breach, insurers can better adhere to HIPAA regulations using email for sending EOBs. On a similar note, the security features built into a HIPAA compliant email platform, such as encryption, access controls, and audit logs, help insurers to satisfy the requirements of HIPAA’s Privacy and Security Rules in their compliance efforts.

 

Another considerable benefit of using secure email to send policyholders their EoBs, or, in fact, any communication containing PHI, is that it’s far easier to implement breach notification protocols. Email delivery platforms provide real-time tracking, so companies can pinpoint email message failures quickly and act accordingly. Similarly, intrusion detection systems and other cybersecurity measures that support email systems can enable faster detection and containment of data breaches.

 

In stark contrast, physical mail is far more difficult to track – and even those limited capabilities are reserved for more expensive delivery options. Consequently, security breaches via mail could go unnoticed for days or even weeks. If you’re unaware of a data breach, or have not yet contained or mitigated it, you’re then unable to inform all affected parties, resulting in further HIPAA violations.

Increased Deliverability Rates

By greatly mitigating the security risks presented by physical mail, i.e., the various ways an EoB could fall into the wrong hands, sending an EoB by email increases your ability to get more EOBs into the hands of policyholders, more quickly. At the same time, policyholders can make faster decisions regarding their healthcare.

The ability to track secure email gives you greater control over EOB deliverability, as it allows organizations to determine the cause of delivery failure and can also make subsequent attempts. Additionally, the process of determining the reason for the message delivery failures can also reveal security issues; the same process, however, is very difficult to achieve with traditional mail.

 

Here’s how the typical protocol for resending a secured email goes beyond what you can do with managing traditional mail delivery:

 

  • Determine the cause of non-delivery: verify that the intended recipient information is correct and check for issues like a full email inbox or security misconfigurations. 
  • Don’t automatically resend: to avoid exposing PHI to the wrong person, confirm the intended recipient’s email address through an alternative verified channel, e.g., phone call, secure SMS, etc. 
  • Log the incident: document the delivery failure, steps taken to determine its cause, attempts, etc.
  • Reattempt message delivery: if the investigation deems it safe, attempt message redelivery with the corrected information. 

In the event that subsequent delivery attempts fail, it’s best practice to contact the individual to arrange the most convenient and secure alternative to deliver their EoBs. 

Cost Savings 

Simply put, sending Explanation of Benefits statements via email instead of traditional mail saves health insurers money – potentially lots of it. Processing EOBs from start to finish can cost health insurers one to two dollars or more per EOB. That’s a lot. The biggest opportunity for cost reduction is tied to the money saved on printing and mailing paper EoB statements. Additionally, the cost of administering the delivery of EoB forms, ensuring their delivery, etc., is lowered when it’s done electronically. Not to mention, resending EoBs in the event of their non-delivery is much easier and cheaper via email.

 

In a broader sense, increasing the deliverability and the success rate of sending EoBs helps a larger number of policyholders better understand the details of their insurance coverage, i.e., how it works, which services and procedures it covers, etc. As a result of their policyholders being more informed, insurers won’t spend as much time explaining policy details and cost breakdowns to their members, allowing them to divert the otherwise required resources to other areas of the business.  

Reduced Carbon Footprint

Finally, it’s difficult to highlight the benefits of sending EoBs to policyholders by email without recognizing the positive environmental impact, too. Email EoBs cut down on paper, for both the forms themselves and the envelopes they’re mailed in. Then there’s the matter of the electricity and ink involved in printing them, the emissions produced in their delivery, etc. Opting to send EoBs via email reduces all these factors, which enables healthcare organizations to lower their carbon footprint and, where applicable, meet their sustainability obligations or goals. 

Deliver EoBs More Securely, Reliably, and at Lower Cost with LuxSci

LuxSci’s Secure High Volume Email Solution enables healthcare insurance companies to instantly send Explanation of Benefits statements to policyholders at a massive scale, extending into hundreds of thousands or millions per month.

 

Our HIPAA compliant email delivery platform features:

 

  • Dedicated IPs that isolate critical transactional messages, such as EoBs, from other email traffic, allowing LuxSci customers to reach deliverability rates of 98% or more. 
  • Real-time tracking for determining the delivery status of EoBs, as well as troubleshooting unsuccessful delivery attempts.
  • Flexible encryption through LuxSci’s proprietary SecureLine Technology, which automatically adjusts encryption settings according to the recipient to better ensure the protection of sensitive data.

Contact us today to learn more about how your organization can begin the transition to electronic EoBs.

Read More

You Might Also Like

In-Home Care Email Use Cases

HIPAA-Compliant Email: 7 Use Cases for In-Home Care

The demand for in-home care is growing as patients increasingly seek personalized, convenient healthcare in the comfort of their homes. A key reason for this increase is the rise in the number of baby boomers, i.e., people aged 65 and older, opting for in-home care.

In fact, as of 2020, there were approximately 76.4 million Baby Boomers in the United States, with projections indicating that by 2040, there will be roughly 80.8 million Americans over the age of 65. Consequently, the need for in-home care services will only grow to accommodate the health needs of this expanding demographic. 

For in-home care providers, remaining competitive in this space requires increased levels of patient engagment over digital channels and the inclusion of protected health information (PHI) to personalize communications. As a result, incorporating secure, HIPAA-compliant email communications and campaigns into your in-home patient outreach efforts both enhances engagement and yields significant operational and financial benefits. 

In this post, we explore 7 impactful use cases for HIPAA-compliant secure communications for in-home care, including how providers can harness them to achieve their efficiency goals and growth objectives, while improving health outcomes for patients.

What Are the Benefits of HIPAA-Compliant Email for In-Home Care Providers?

Before we dive into the most common email use cases for in-home care providers, let’s look at why adopting secure, personalized communication strategies offer several advantages:

  • Avoiding the Consequences of HIPAA Non-compliance: including sensitive patient data in communications without implementing the security measures required by HIPAA can incur financial (fines, compensation), operational (time spent mitigating security threats), and reputational (being seen as untrustworthy with PHI) consequences. 
  • Enhanced Efficiency and Outcomes: streamlined communications, such as automated appointment reminders, reduce administrative tasks and missed appointments, allowing staff to spend more of their time engaging patients to drive better health outcomes.
  • Improved Patient Satisfaction: timely, relevant, and personalized communications demonstrate a commitment to patient well-being and positive engagements, fostering trust and loyalty.
  • Cost Savings: Secure, personalized communications lead to significant cost reductions by preventing miscommunications and the resulting complications. 
  • Increased brand connection: with HIPAA-compliant communications, you can foster a better understanding of the full extent of your capabilities, the value you provide, and, ultimately, the vital role you play in your patients’ healthcare journey. 

High-Impact HIPAA-Compliant Use Cases for In-Home Care

1. Appointment Reminders

Missed appointments are a substantial financial burden on healthcare organizations. In the U.S., they result in an estimated $150 billion in losses annually, with each no-show costing businesses approximately $200 per hour. 

Sending personalized, secure appointment reminders via HIPAA-compliant email and text messaging can significantly reduce no-show rates, cutting costs, boosting revenue, and, most importantly, increasing patient adherence to care. Better still, appointment reminders can be automated, e.g., with confirmations sent at the time of booking and reminders scheduled to go out a few days before the appointment. This not only ensures consistent communication, with minimal additional administrative overhead, but also increases the utility and value of the in-home care service.  

2. Follow-Up Communications

Frequent follow-up email communications are an effective way to monitor a patient’s progress, ensuring adherence to treatment plans and enabling them to adapt a health regime according to potential changes in their condition. 

A few examples of situations that warrant a follow-up email include:  

  • After an initial consultation
  • After an appointment with an in-home care professional
  • After a treatment or surgery
  • After in-home medical equipment training 
  • After a patient has started a new course of medication

Follow-up email communications could include advice on booking a subsequent appointment, aftercare advice, or guidelines for taking medication. Again, as with appointment reminders, follow-up emails can be automated to streamline the process. 

3. Personalized Treatment Plans

Tailoring treatment plans to fit a patient’s specific needs enhances treatment efficacy and reduces the likelihood of adverse effects. Secure email plays a crucial role in the development and distribution of treatment plans, which always include PHI, providing a channel by which healthcare providers can share sensitive patient data quickly and coordinate on any courses of action.

Email security measures, such as encryption, access control, and user authentication protect patient data from the malicious efforts of cybercriminals, while ensuring compliance with HIPAA’s Security Rule.  

4. Care Coordination

Effective care coordination is essential for in-home care success where multiple healthcare professionals, such as nurses, therapists, and caregivers, must consistently collaborate to deliver high levels of patient care. 

Offering critical functions such as treatment updates and emergency alerts, HIPAA-compliant email communications can ensure that all necessary parties remain in the loop about any situations regarding their shared patients. Additionally, integrating HIPAA-compliant email with a customer data platform (CDP) solution, electronic health record (EHR) systems, or any other system where PHI resides, allows in-home care providers to access and update patient records in real time, ensuring access to up-to-date information across the care team.

5. Proactive Patient Education

Educating patients through secure, personalized communications helps to enhance their competence in matters regarding their health, thereby increasing confidence in their ability to manage their healthcare journey more effectively, and resulting in greater engagement. Using PHI to segment patients by their condition or certain demographics (e.g., age, gender, lifestyle factors) and send them relevant educational materials is a powerful way for in-home care providers to offer additional value. This could include: 

  • Advice on managing a particular condition of injury, e.g., chronic disease management
  • Informing patients and customers of events related to their present state of health, e.g., classes for expectant mothers, support groups for cancer patients, etc. 
  • Tips related to improving their health according to recent diagnoses and known lifestyle factors, e.g., smoking cessation strategies, dietary advice, etc.  

Patient education is such an effective use of HIPAA-compliant email because it can be done frequently. Plus, it offers the additional benefits of helping to position the in-home care provider as an expert, increasing patient trust and boosting adherence to prescribed health advice. 

6. Collecting Patient and Customer Feedback

Another simple, yet powerful use of secure email communication is to collect feedback and intelligence from patients, via integrated, secure email and forms, for review requests, surveys, and polls. By gaining insight into how your patients and customers feel about the quality of your in-home care products and services, you can pinpoint areas for improvement. As well as increasing customer satisfaction levels, this will also present opportunities to root out inefficiencies and cut costs in the process. 

Additionally, asking for feedback helps increase patient trust, because you’ve displayed a commitment to improving your service and that you’re interested in the opinion of your patients and customers. 

7. Health Alerts

HIPAA-compliant email is a helpful tool for making patients aware of situations or circumstances that could adversely affect their health. This could include alerts about virus outbreaks in their area or adverse weather events that could affect their in-home healthcare provision. To maximize value, these email alerts can be paired with advice to help patients through potential health emergencies, such as information on vaccine drives, activities to avoid during a period of rough weather, and support resources should they require more assistance.  

Elevate Your In-Home Care Communications with LuxSci HIPAA-Compliant Email

LuxSci stands at the forefront of secure healthcare communications, offering HIPAA-compliant email, text, forms and marketing solutions for the security and compliance needs of in-home care providers. With over 25 years of experience, LuxSci provides secure high-volume email solutions, solutions for making Google Workspace and Microsoft 365 HIPAA-compliant, secure text messaging, and secure forms solutions that enable personalized, efficient, and effective patient engagement across a variety of channels. 

Using LuxSci’s suite of secure communication tools, in-home care providers can streamline their operations, drive better, more personalized engagement, and improve health outcomes for the growing numbers of patients looking for healthcare services at home. Contact LuxSci today to learn more.

Read More
HIPAA Compliant

Can a Website Be HIPAA Compliant?

A website can be HIPAA compliant when it incorporates security measures, privacy protections, and data handling practices that meet HIPAA regulatory requirements. Healthcare organizations must implement encryption, access controls, audit logging, and secure data storage for websites that collect, store, or transmit protected health information. A well configured HIPAA compliant website helps healthcare providers maintain patient privacy while offering online services.

HIPAA Website Requirements

Websites handling protected health information must meet the standards established in the HIPAA Security Rule. These requirements include encryption for data transmission using protocols like TLS 1.2 or higher. Access controls limit website data viewing to authorized personnel with appropriate login credentials. Audit logging tracks all user activities and data access attempts across the website. Session timeouts automatically log out inactive users to prevent unauthorized access. Regular security testing identifies and addresses potential vulnerabilities. These measures work together to protect patient information from unauthorized access or disclosure.

Website Hosting and Infrastructure

HIPAA compliant hosting provides the foundation for a secure healthcare website. When selecting a hosting provider, healthcare organizations look for companies willing to sign a Business Associate Agreement (BAA). This legal document establishes the hosting provider’s responsibilities for protecting health information. The physical location of servers matters, with many HIPAA compliant services using data centers with restricted access, environmental controls, and monitoring systems. Network protection typically includes firewalls, intrusion detection, and regular security updates. Organizations often choose dedicated hosting environments rather than shared servers to maintain data separation.

Patient Data Collection and Forms

Most healthcare websites collect information through online forms. HIPAA compliant websites include appropriate authorization language on these forms before gathering protected health information. Well-designed websites explain how patient data will be used in clear, accessible language. Form data requires protection both during transmission and after submission. Many websites use secure database connections and encryption for stored information. Healthcare organizations determine what information they actually need to collect, following the minimum necessary standard from HIPAA regulations. User-friendly form design can improve completion rates while maintaining compliance.

Secure Patient Portals and Interaction

Patient portals on HIPAA compliant websites allow secure access to medical records, appointment scheduling, and provider communications. These portals employ authentication measures like password requirements and account recovery processes. Many implement automatic timeout features that log out inactive users after a set period. Secure messaging features enable patient-provider communication without using standard email. The best patient portals maintain detailed logs of all system access and actions. Healthcare organizations integrate these portals with their electronic health record systems for data consistency and accuracy.

Mobile Responsiveness and App Integration

Modern HIPAA compliant websites function across various devices while maintaining security protections. Mobile responsive design allows patients to access information securely from smartphones and tablets. When healthcare organizations develop companion mobile apps, these applications need the same HIPAA compliance measures as their websites. Integration between websites and mobile applications requires secure API connections and consistent authentication methods. Many healthcare providers test their digital platforms across multiple devices to ensure both functionality and security. The mobile experience influences patient satisfaction with digital healthcare services.

Compliance Maintenance

Healthcare websites require regular updates and monitoring to maintain HIPAA compliance over time. Technology changes quickly, and security measures that worked previously may become outdated. Website administrators perform regular security scans and vulnerability testing. Organizations document these maintenance activities as evidence of compliance efforts. Staff training helps ensure everyone handling website data understands privacy requirements. As regulations evolve, websites need corresponding updates to privacy notices and security features. Many healthcare organizations work with compliance consultants who specialize in digital healthcare requirements.

Read More
luxsci and main capital logos

LuxSci Receives Majority Investment from Main Capital Partners

Main Capital Partners announces a majority investment in Lux Scientiae, Incorporated (‘LuxSci’), a leading provider of healthcare-focused secure communications and secure hosting solutions. The investment reflects Main’s commitment to the healthcare market and desire to build robust, international software groups.

Founded in 1999, LuxSci is a leading American provider of HIPAA-compliant secure communications and secure hosting solutions. LuxSci’s application and infrastructure software enables organizations to securely deliver personalized sensitive data at scale. Certified by HITRUST to support customers with HIPAA compliance requirements, LuxSci serves dozens of healthcare enterprises and hundreds of middle-market organizations. Customers include providers, healthcare IT firms, medical device manufacturers, and companies active in other highly regulated industries.

With the strategic support of Main, LuxSci will strengthen its market position and its capabilities to meet the complex needs of modern healthcare organizations. In addition to fostering organic growth in the North American market, LuxSci and Main will explore opportunities for strategic acquisitions to expand the product portfolio and accelerate internationalization.

Erik Kangas (PhD), Founder & CEO of LuxSci, expressed his enthusiasm for the partnership, stating: “Having led LuxSci through 23 profitable bootstrapped years, I am extremely excited to partner with Main. Their resources and expertise will enable us to expand our technology and deepen our market penetration at a time when the demand for high-security communications solutions has never been greater.”

Jeanne Fama (PhD, MBA), COO & CSO of LuxSci, adds: “We are excited about the partnership’s potential to increase the awareness and adoption of LuxSci’s communication solutions and potentiate their impact in healthcare organizations seeking to improve clinical and business outcomes and increase patient satisfaction and loyalty.”

Main has demonstrated strong performance in both the healthcare and security markets, evidenced by investments such as Enovation (connected care solutions with over 350 employees across Europe) and Pointsharp (security and identity access management software with over 200 employees in Northwestern Europe). Main will leverage its experience and network in these markets to support LuxSci in its continued growth.

Daan Visscher, Co-Head of Main Capital North America, concludes: “We are thrilled to partner with the LuxSci team in spearheading the company’s next phase of growth. We are impressed by LuxSci’s double-digit recurring revenue growth, the underlying product, the management team’s capabilities, and the unwavering commitment to customers. We see ample opportunities to drive value through honing operational excellence, accelerating organic growth, and executing select strategic acquisitions. The result will be a robust, international software group positioned to meet the evolving needs of healthcare organizations.”

Pagemill Partners, the tech investment banking division of Kroll, served as financial advisor to LuxSci and Cooley LLP acted as legal advisor to LuxSci. Morse, Barnes-Brown & Pendleton, PC acted as legal advisor to Main.

About LuxSci

LuxSci is a leading provider of highly scalable secure communications and secure hosting solutions. Certified by HITRUST, LuxSci helps organizations navigate complex HIPAA regulations and safeguard sensitive data. LuxSci serves nearly 2,000 customers across healthcare and other highly regulated industries.

About Main Capital Partners

Main Capital Partners is a leading software investor active in Northwestern Europe and North America. Main has over 20 years of experience in software investing and works closely alongside management teams to achieve sustainable growth. Main has 70 employees operating out of its offices in The Hague, Stockholm, Düsseldorf, Antwerp, and Boston. Main has over EUR 2.2 billion in assets under management and maintains an active portfolio of over 40 software groups. The underlying portfolio employs over 12,000 employees.

Read More
biggest email threats

Know the Biggest Email Threats Facing Healthcare Right Now

Due to its near-universal adoption, speed, and cost-effectiveness, email remains one of the most common communication channels in healthcare. Consequently, it’s one of the most frequent targets for cyber attacks, as malicious actors are acutely aware of the vast amounts of sensitive data contained in messages – and standard email communication’s inherent vulnerabilities.

 

In light of this, healthcare organizations must remain aware of the evolving email threat landscape, and implement effective strategies to protect the electronic protected health information (ePHI) included in email messages. Failing to properly secure email communications jeopardizes patient data privacy, which can disrupt operations, result in costly HIPAA compliance violations, and, most importantly, compromise the quality of their patients’ healthcare provision.

 

With all this in mind, this post details the biggest email threats faced by healthcare organizations today, with the greatest potential to cause your business or practice harm by compromising patient and company data. You can also get our 2025 report on the latest email threats, which includes strategies on how to overcome them.

Ransomware Attacks

Ransomware is a type of malware that encrypts, corrupts, or deletes a healthcare organization’s data or critical systems, and enables the cybercriminals that deployed it to demand a payment (i.e., a ransom) for their restoration. Healthcare personnel can unwittingly download ransomware onto their devices by opening a malicious email attachment or clicking on a link contained in an email.

In recent years, ransomware has emerged as the email security threat with the most significant financial impact. In 2024, for instance, there were over 180 confirmed ransomware attacks with an average paid ransom of nearly $1 million. 

Email Client Misconfiguration

While a healthcare organization may implement email security controls, many fail to know the security gaps of their current email service provider (ESP) or understand the value of a HIPAA compliant email platform, leaving data vulnerable to email threats, such as unauthorized access and ePHI exposure, and also, subsequently, a greater risk of compliance violations and reputation damage.


 

Common types of email misconfiguration include:

 

  • Lack of enforced TLS encryption: resulting in emails being transmitted in plaintext, rendering the patient data they contain readable by cybercriminals in the event of interception during transit.
  • Improper SPF/DKIM/DMARC setup: failure to configure or align these email authentication protocols correctly gives malicious actors greater latitude to successfully spoof trusted domains.
  • Disabled or lax user authentication: a lack of authentication measures, such as multi-factor authentication (MFA), increases the risk of unauthorized access and ePHI exposure.
  • Misconfigured secure email gateways: incorrect rules or filtering policies can allow phishing emails through or block legitimate messages.
  • Outdated or unsupported email client software: simply neglecting to download and apply the latest updates or patches from the email client’s vendor can leave vulnerabilities, which are well-known to cybercriminals, exposed to attack.

Social Engineering Attacks

A social engineering attack involves a malicious actor deceiving or convincing healthcare employees into granting unauthorized access or exposing patient data. Relying on psychological manipulation, social engineering attacks exploit a person’s trust, urgency, fear, or curiosity, and encompass an assortment of threats, including phishing and business email compromise (BEC) attacks, which are covered in greater depth below.

Phishing

As mentioned above, phishing is a type of social engineering attack, but they are so widespread that it warrants its own mention. Phishing sees malicious actors impersonating legitimate companies, or their employees, to trick victims into revealing sensitive patient data. 

Subsequently, healthcare organizations can be subjected to several different types of phishing attacks, which include:

 

  • General phishing: otherwise known as bulk phishing or simply ‘phishing’, these are broad, generic attacks where emails are sent to large numbers of recipients, impersonating trusted entities to steal credentials or deliver malware. 
  • Spear phishing: more targeted attacks that involve personalized phishing emails crafted for a specific healthcare organization or individual. These require more research on the part of malicious actors and typically use relevant insider details gleaned from their reconnaissance for additional credibility.
  • Whaling: a form of spear phishing that specifically targets healthcare executives or other high-level employees. 
  • Clone phishing:  when a cybercriminal duplicates a legitimate email that was previously received by the target, replacing links or attachments with malicious ones.
  • Credential phishing: also known as ‘pharming’, this involves emails that link to fake login pages designed to capture healthcare employees’ usernames and passwords under the guise of frequently used legitimate services.

Domain Impersonation and Spoofing

This category of threat revolves around making malicious messages appear legitimate, which can allow them to bypass basic email security checks. As alluded to above, these attacks exploit weaknesses in email client misconfigurations to trick the recipient, typically to expose and exfiltrate patient data, steal employee credentials, or distribute malware.

 

Domain spoofing email threats involve altering the “From” address in an email header to make it appear to be from a legitimate domain. If a healthcare organization fails to properly configure authentication protocols like SPF, DKIM, and DMARC, there’s a greater risk of their email servers failing to flag malicious messages and allowing them to land in users’ inboxes.

 

Domain impersonation, on the other hand, requires cybercriminals to register a domain that closely resembles a legitimate one. This may involve typosquatting, e.g., using “paypa1.com” instead of “paypal.com”. Alternatively, a hacker may utilize a homograph attack, which substitutes visually similar characters, e.g., from different character sets, such as Cyrillic. Malicious actors will then send emails from these fraudulent domains, which often have the ability to bypass basic email filters because they aren’t exact matches for blacklisted domains. Worse still, such emails can appear authentic to users, particularly if the attacker puts in the effort to accurately mimic the branding, formatting, and tone used by the legitimate entity they’re attempting to impersonate. 

Insider Email Threats

In addition to external parties, employees within a healthcare organization can pose email threats to the security of its PHI. On one hand, insider threats can be intentional, involving disgruntled employees or third-party personnel abusing their access privileges to steal or corrupt patient data. Alternatively, they could be the result of mere human error or negligence, stemming from ignorance, or even fatigue.

 

What’s more, insider threats have been exacerbated by the rise of remote and flexible conditions since the onset of the COVID-19 pandemic, which has created more complex IT infrastructures that are more difficult to manage and control.  

Business Email Compromise (BEC) Attacks

A BEC attack is a highly targeted type of social engineering attack in which cybercriminals gain access to, or copy, a legitimate email account to impersonate a known and trusted individual within an organization. BEC attacks typically require extensive research on the targeted healthcare company and rely less on malicious links or attachments, unlike phishing, which can make them difficult to detect.

 

Due to the high volume of emails transmitted within the healthcare industry, and the sensitive nature of PHI often included in communications to patients and between organizations, the healthcare industry is a consistent target of BEC attacks.

 

BEC attacks come in several forms, such as:

 

  • Account compromise: hijacking a real employee’s account and sending fraudulent messages.
  • Executive fraud: impersonating high-ranking personnel to request urgent financial transactions or access to sensitive data.
  • Invoice fraud: pretending to be a vendor asking for the payment of a fraudulent invoice into an account under their control.

Supply Chain Risk

Healthcare organizations increasingly rely on third-party vendors, including cloud service providers, software vendors, and billing or payment providers to serve their patients and customers. They constantly communicate with their supply chain partners via email, with some messages containing sensitive patient data; moreover, some of these organizations will have various levels of access to the PHI under their care.

 

Consequently, undetected vulnerabilities or lax security practices within your supply chain network could serve as entry points for email threats and malicious action. For instance, cybercriminals can compromise the email servers of a healthcare company’s third-party vendor or partner, and then send fraudulent emails from their domains to deploy malware or extract patient data.

 

Another, somewhat harrowing, way to understand supply chain risk is that while your organization may have a robust email security posture, in reality, it’s only as strong as that of your weakest third-party vendor’s security controls.

Download LuxSci’s Email Cyber Threat Readiness Report

To gain further insight into the biggest email threats to healthcare companies in 2025, including increasingly prevalent AI threats, download your copy of LuxSci’s Email Cyber Threat Readiness Report

 

You’ll also learn about the upcoming changes to the HIPAA Security Rule and how it’s set to impact your organization going forward, and the most effective strategies for strengthening your email security posture.

 

Grab your copy of the report here and begin the journey to strengthening your company’s email threat readiness today.

Read More