Mailchimp data breach exposes hundreds of customer accounts

by Sara Uzer

Mailchimp logo

Mailchimp, an email and social media marketing company, recently reported the discovery of a data breach that exposed information across over 300 customer accounts.

Here’s what to know about the Mailchimp hack and how to reduce the risk in your organization. Plus, learn why a HIPAA compliant email marketing platform is crucial for healthcare to stay secure and one step ahead of hackers.

What happened? 

Mailchimp’s security team learned that a bad actor gained access to one of the company’s internal customer support tools on March 26 through a social engineering attack.

On April 2, the cybercriminal attempted to send a phishing campaign to a user’s contacts from the account with the information they obtained. Mailchimp successfully blocked the bad actor from the account and prevented further access to the platform. However, a phishing campaign was still distributed to the user’s contacts through another technique.

Mailchimp worked with forensics professionals to uncover the full scope of the incident. This investigation determined that 319 Mailchimp accounts were accessed and audience data was exported from 102 of those accounts. The bad actor specifically targeted users in the cryptocurrency and finance industries.

How is Mailchimp responding to the incident?

After discovering the incident, Mailchimp quickly limited employee access to all internal systems. The company also immediately notified all impacted accounts via email.

In order to prevent future attacks, Mailchimp will be “enacting an additional set of aggressive measures to ensure the security of users’ data.” Mailchimp’s statement also notes that the company will be continuing its investigation and providing transparent communication throughout the process.

How healthcare can make email secure

The Health Sector Cybersecurity Coordination Center (HC3) issued an alert in response to the attack. This warns the health sector to “stay cautious of suspicious emails originating from legitimate email marketing platforms such as Mailchimp.”

HC3 notes that user awareness training is one of the best defenses against these types of incidents. Further recommendations include “implementing antivirus and network intrusion prevention systems and restricting web-based content that may not be necessary for business operations.”

Anti-spoofing and email authentication tools are additionally mentioned as smart email security best practices to confirm the validity and integrity of messages.

The power of HIPAA compliant email marketing 

Data breaches like these serve as an important reminder for healthcare providers to ensure that all marketing efforts are compliant with HIPAA email rules. The problem is that many popular platforms are not built to meet these requirements.

Mailchimp is not willing to sign a business associate agreement (BAA). Therefore, the solution is not considered a HIPAA compliant email marketing platform. Other companies, such as Constant Contact, will sign a BAA but won’t permit the transmission of protected health information (PHI).

That’s where Paubox Marketing comes in. In addition to signing a BAA, our powerful HITRUST CSF certified, HIPAA compliant email marketing service allows you to securely include PHI in your marketing emails and send personalized messages to specific patients. Patients can also conveniently read your emails directly from their inbox without having to take any extra steps.

This means you can increase patient engagement, improve outcomes, and grow your business while avoiding HIPAA violations along the way.

Try Paubox Email Suite Plus for FREE today.