" email Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘email’

Has Your Email Been Read? Read Receipts and Web Bugs

Wednesday, July 1st, 2020


Customers often ask how they can know if a message has been read by a specific recipient.  Typically, this is done by requesting a “Read Receipt” when sending the message; however, read receipts are not reliable. Spammers use techniques such as HTML “web bug” tracking to see if you have read an email message and thus if your email address is valid and ripe for more spamming; this is also not reliable. LuxSci’s SecureLine Escrow service includes a 100% reliable Read Receipt function that can be used when it is essential to know if someone has read a message. It also allows for message retraction (removing further access to an email message).

This article goes over these various methods of determining if a message has been read, shows how each works, and discusses the pros and cons of each.

Read the rest of this post »

Is Amazon Simple Email Service (SES) HIPAA Compliant?

Thursday, March 19th, 2020

Because Amazon Web Services (AWS) is very inexpensive, very well known, and offers “HIPAA-compliant” solutions to some degree, we are often asked if, and to what degree, Amazon Simple Email Service (SES) is HIPAA compliant. AWS is a big player offering countless services on which companies can build and/or host applications and infrastructures. One of the myriad of services provided by Amazon is their “Simple Email Service” (AWS SES for short).  Organizations are very interested in determining if the services offered are appropriate for their use cases and if use of specific Amazon services will leave them non-compliant or at risk.  Indeed, the larger the organization, the more concern we encounter.


Read the rest of this post »

Enterprise-Grade High Volume Secure Email Sending API

Tuesday, February 4th, 2020

LuxSci has released an enhancement to its REST API targeted at fast, reliable, large-scale email sending.   While LuxSci’s API has had features for secure email sending for many years, the new API call is specifically designed with the needs of enterprise email sending in mind.

The new “Send Email” High Volume API call enables:

  1. Pipelining: Send up to 1,000 email messages per request
  2. Send to up to 1,000 email recipients per request
  3. Works for sending HIPAA-compliant secure email or regular email
  4. Load Balancing: Distributes your outbound email messages across your multiple dedicated outbound email servers.
  5. Fail Over: If you have multiple outbound email servers and one is down for some reason, the API will automatically re-try sending through other servers.
  6. Queuing: If you are depositing email into the API faster that your email servers can send, or if your email servers are down for some reason (e.g., maintenance), the messages will be accepted, queued, and delivered automatically as soon as possible.
  7. Tracking: Email delivery, bounce, click, feed-back loop, and open tracking works just like it does for messages sent via SMTP.
  8. Encryption and all other email sending features currently supported by direct SMTP sending (e.g., tag lines, encryption “Opt Out”, etc.) are supported by the API.
  9. SMTP Limits. Your overall API-based email sending is limited only by the number of recipients or messages to whom you are normally allowed to send via SMTP.

Email Sending API

Read the rest of this post »

Email Data Breaches Are the Most Common Incident Location According to OCR Data

Monday, November 4th, 2019

Email data breaches were the most common incident location listed in breach notification data from the Office of Civil Rights, a subbranch of the Department of Health and Human Services. From the first of June, 2019 until the time of writing, 178 different breaches had been reported to the authorities.

Of these breaches, 69 involved email as their “Location of Breached Information”. In total, these email-related breaches affected almost 850,000 individuals – that’s almost a million people who had their data exposed or stolen due to either hacking or improper use. All in just six months.

Email data breaches were the clear frontrunner, with network servers following a reasonable distance behind them as the second most common location of breached information. Network servers were involved in 54 of the cases.

So what do these figures tell us?

Email Is Still the Weakest Link in Security & Data Breaches

If the OCR data reveals that email is the most common location of data breaches in recent times, then it insinuates that we have major issues in our approach to using email.

The data doesn’t necessarily mean that email technology is inherently less secure than network servers or the other incident locations – the results may be caused by how ubiquitous email is for communication, how easy it is for hackers to trick us over email, or how cavalier our attitudes are towards it.

However, the data does indicate that email is still a major source of problems, and we need to take the necessary steps to minimize its role in the cavalcade of data breaches we seem to experience.

Preventing Email Data Breaches

Data breaches are a concern for all businesses, because they can result in business disruption, damage a brand’s reputation, and result in huge compensation costs as well as fines.

This is especially true for organizations in the health sector and their business associates who deal with ePHI. Not only is the data they possess valuable and attractive to hackers, but they are also governed by strict HIPAA laws and the harsh penalties that come alongside them.

This makes email data breach prevention incredibly important for those both inside and outside of the health sector. The good news is that there are several things businesses can do to reduce the risks they face.

One of the first steps should be to adopt a secure email service like LuxSci’s HIPAA-compliant email hosting. Our solution offers a high degree of security configuration options that help organizations protect their data according to their own unique needs. These include support for PGP, S/MIME, portal pickup and TLS, providing protection for email both in transit and in storage.

LuxSci’s premium email filtering also helps to stop attackers from ever making their way into employee inboxes, preventing them from gaining footholds that they can use to cause email data breaches.

Although the OCR’s notification data doesn’t go into depth, it’s likely that many of the affected businesses either weren’t using secure email software, or were using it inappropriately. Our HIPAA-compliant service can help to cut down on the risks that organizations face, reducing the likelihood of them ending up on the OCR’s list in the future.

While the majority of email data breach incidents in the OCR figures were due to hacking, some were the result of unauthorized access or disclosure. These acts are often overlooked, but they still contribute to costly and disruptive breaches.

LuxSci’s email hosting can help to cut down on accidental email data breaches because we offer features like opt-out encryption. When our clients enable it, it means that their employees have to actively opt-out when they don’t want encryption to protect a message.

This almost completely eliminates incidents where employees simply forget to encrypt sensitive data. They would have to go out of their way to do so, which makes opt-out encryption a simple way for organizations to reduce the risks they face.

Email data breaches are one of the huge risks that businesses face in our internet age. Thankfully, there are straightforward steps that organizations can take to minimize them, which helps to save money in the long run. LuxSci’s email service is just one of them. We also offer a wide range of other secure services such as hosting and forms.

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business, and those in the industry are facing increasing pressure to maintain their standing against their rivals. One of the key tactics for keeping up involves having a carefully planned marketing strategy.

While there are a range of different approaches that companies can take, sending out marketing emails proves popular, because many organizations have substantial email lists of their clients.

This practice can have a range of business advantages, but the more cautious in the sector may be wondering “Do healthcare marketing emails have to be HIPAA-compliant?”

It’s an important question to ask, and one that’s not exactly clear-cut, because the answer is dependent on the context.

Does the Email Contain Protected Health Information?

Information is protected by HIPAA regulations if it contains “protected health information” that is “individually identifiable.”  The term “protected health information” refers to any data that relates to a person’s health, treatment or payment information, whether it is in the past, present, or future.

Under this definition, things like the results of a test, a prescription, an appointment notice, or a receipt for healthcare services are just a few of the many things considered “protected health information.”

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked back to the individual. There are a long list of identifiers, such as names, addresses, birthdays, contact details, insurance details, biometrics, and many more are considered possible identifiers under HIPAA.  The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual”, so this concept is really is all-encompassing.

Does the Marketing Email Tick Both Boxes?

If it does, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t your organization may be safe. But before you rush into sending off your emails, you need to be careful, because the edges of HIPAA can be blurred, and it’s best to stay on the safe side.

Let’s give you an example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it can use this information not just to help mothers-to-be, but also to bring in new business. The clinic then sends out an email to all of its expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Since it was also addressed to each of their email addresses, it also contains individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could potentially fall foul of HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA, because such an approach wouldn’t single out the women who were pregnat (though it might single you out as a former patient of that clinic and, depending on what the clinic is, that could also imply things about your past/present/future medical treatments). While this kind of situation sounds rare, it’s important to appreciate that it can and does occur, so that your organization is more cautious and doesn’t unwittingly end up with a HIPAA violation.

Even if most of your organization’s emails never tick both of these boxes, it may be best to send them in a HIPAA-compliant manner anyway. This is because a slight, unintentional change to your organization’s approach could lead to the inclusion of ePHI, leading your company to a HIPAA violation.

When you consider the high penalties of these violations in comparison to the insignificant costs of sending HIPAA-compliant messages, making sure that all of its emails are sent in compliance with the regulations ends up being a pretty cheap insurance policy.

How Can You Make Healthcare Marketing Emails HIPAA-Compliant?

If your organization sends out marketing emails that could contain ePHI, then it’s important to make sure that they are sent in a HIPAA-compliant manner. The best approach is to use a HIPAA-compliant bulk email service, such as LuxSci’s High Volume Secure Email Sending.

Your organization will need to sign a HIPAA Business Associate Agreement with the service provider and use the appropriate encryption, access control and other security mechanisms that are needed to protect ePHI.

Using a service with opt-out encryption (as opposed to one with risky opt-in encryption, requiring you to actively specify which messages need encryption) limits the risks of user error, which means that your organization is more free to send out its marketing emails, without such a significant threat of accidentally violating HIPAA regulations.