How to use Paubox Email API webhooks

Photo of software developer using Paubox API webhooks

Find out how easy it is to use Paubox API webhooks

Many services like Slack, Stripe, Teams, Zapier, and others already have the option to generate a webhook URL and receive data from HIPAA compliant APIs like Paubox.

Webhooks are extremely useful to send and receive data between two services. They are reactive, which means that you don’t have to manage an always-on connection. This reduces the time spent on development, the amount of data used and the potential for errors during transfer.

Read more
Webhook diagram

See the image above to understand a bit more about webhooks. There are two systems, A and B. System A sends an API request on the occurrence of an event based on its configuration. System B processes that request and sends a response back to System A. There is no need to constantly poll for new data since the mechanism is completely event-based. 

SEE ALSO: Paubox Email API Quick Guide

How to set up a Paubox Email API webhook

To set up a webhook in Paubox, follow the steps below.

  1. Log in to your Paubox account.
  2. Click on Webhooks from the left menu bar. 
Screenshot of Paubox Email API logon.
  1. Click on the Add button. This opens a new modal on the screen.
Paubox Email API logon screen shot
  1. Enter a domain name and select an event type from the drop-down. There are four events you can choose from: Opened, Delivered, Temporary Failure, Permanent Failure. This event triggers a request from Paubox to the domain you have chosen.

Testing Paubox Email API webhooks without a domain

You can use the Webhook Site to obtain a free test URL if you don’t have a domain. Visiting the website automatically generates a unique URL and an email address. Copy the unique URL (but not the email address) when adding to Paubox. Every time you use our secure email API to send an email, it triggers a webhook and shows up on this page.

Paubox Email API logon screen shot: Testing without a domain.

SEE ALSO: The 5-minute guide to Paubox Email API

Common use cases for webhooks

You can use webhooks in many cases. They are very open-ended. You can use them in situations where you want to confirm you’ve delivered a message or whether you’ve sent it from your end.

It is important to get a sense of what others might want to use webhooks for. To understand that, you can ask questions like:

  • How do you monitor email deliverability internally? Are there Slack channels or other triggered notifications?
  • How do you track important lead signups (i.e., signing up for a demo or scheduling an appointment)?
  • Do you intend to track email deliverability in an external database?
  • What happens after you send an email on your site/app currently?


To highlight potential issues in deliverability in services like Slack or Microsoft Teams (if a message wasn’t delivered or sent out properly), this would come up as a notification or system message on Slack or Teams. It might say something like ‘Message failed to send’ with the response data. You can use middleware services like to do this, which is HIPAA compliant.


Engineers may build out internal processes for:

  • What to do in the event an email is not sent out
  • A follow-up if it is sent successfully

This would include scheduling a new message based on the send status of the old one.

Campaign analytics

You may also use webhooks to successfully track total sends or unique sends for sign-ups, marketing initiatives, etc.

Workflow streamlining

Sending and delivering information to a central database can potentially be a slow or difficult task to maintain. Using webhooks, developers can send information and scale it without having to maintain lots of custom code. In cases where they are using custom code, webhooks can be an easy replacement that can push deliverability data to the database and improve maintainability.

Start Paubox Email API today

Send secure, transactional emails that engage and improve the patient experience

HIPAA Compliant Email: The Definitive Guide [2023 update]

2023 HIPAA compliant email: The Definitive Guide

HIPAA Compliant Email: The Definitive Guide [2023 update]

HIPAA compliance and email is a critical issue for healthcare. This guide answers all your questions to HIPAA compliant email to get you up and running quickly.

HIPAA Compliant Email: The Definitive Guide is your resource to give you a clear understanding of HIPAA, how to encrypt and secure email so it’s HIPAA compliant, and a concise but complete understanding of how HIPAA regulations impact healthcare email.

  1. What you need to know about HIPAA compliance for email
  2. Is it a HIPAA violation to email patient names?
  3. Does HIPAA allow healthcare providers to email patients?
  4. How to safely email patients.
  5. HIPAA email rules for compliance.
  6. How to secure your healthcare email today for peace of mind.
Read more

Table of contents

  1. What is HIPAA?
  2. HIPAA compliance and email
  3. The easiest way to send HIPAA compliant email
  4. Quick guide to HIPAA regulations and rules you need to know
  5. 2023 update to HIPAA email and compliance
  6. HIPAA violations, breaches and fines FAQ
  7. Answers to your top HIPAA compliant email questions

What is HIPAA?

HIPAA compliance and email: image of healthcare workers around HIPAA text

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the standard for protecting sensitive patient data. As a result, email HIPAA compliance can be a confusing topic. But this definitive guide is your source to clarify key requirements and outline the important steps to leverage HIPAA compliant email.

HIPAA compliance and email

HIPAA notice on laptop. 2023 update HIPAA email definitive guide

Is it a HIPAA violation to email patient names and PHI?

Any organization dealing with protected health information (PHI) must follow all the physical, network and process security measures required by HIPAA. HIPAA compliant email falls into this scope.

Covered entities and BAAs

Organizations subject to HIPAA include covered entities (any company that provides treatment, payment or healthcare operations) and business associates (any company with access to PHI that provides support for covered entities). Even subcontractors (i.e., business associates of business associates) must comply. So if you happen to fall into any of these categories, you must ensure that the email you send is secured and HIPAA compliant.

HIPAA encryption requirements are specified by two main terms—required and addressable.

Required encryption must take place when sending electronic protected health information (ePHI) per the HIPAA Privacy Rule and the HIPAA Security Rule.

Illustration of man with questions

How do I make my email HIPAA compliant and secure?

Follow these technical and procedural steps for HIPAA compliant email. Because sending PHI through email can be done easily as long as you follow the right steps. What’s more, connecting with patients through easily accessed email is well worth it for patient well-being, staff work satisfaction and your bottom line.

It’s no secret that healthcare providers are busy. But you can easily have HIPAA compliant and secure email with Paubox without spending precious time installing or deciding what to encrypt or what not to encrypt. At the same time, implementation is simple and quick, and all emails secured by Paubox email solutions are HIPAA compliant. In fact, more than 4,000 healthcare members use Paubox every day for peace of mind to secure nearly 70,000,000 emails each month.

To learn more about HIPAA compliance and email, keep reading.

4 HIPAA compliant email technical steps

  1. Any email sitting on your server (like your inbox) is considered “at rest” and must be secured.
  2. Whenever you send an email, it moves from one server to another; it is considered “in transit.” Therefore, it must be secured every step of the way until it reaches the recipient’s inbox. This process is typically handled with email encryption. Another key point is that once an email is delivered securely to a recipient’s inbox, you are no longer responsible for it under HIPAA regulations.
  3. If your email provider secures email with Transport Layer Security (TLS) encryption, this does not mean your message will be delivered securely. Messages downgrade and arrive unencrypted in clear text if a recipient’s email provider doesn’t support TLS. So make sure you are using a solution that addresses this. Paubox solutions ensure 100% of emails are secured regardless of having or not having TLS. 
  4. If you use a third-party email provider, like Google Workspace, Microsoft 365 or Microsoft Exchange. In that case, you must get a business associate agreement (BAA) to protect PHI from cybercriminals or negligent employees. A BAA outlines vendor responsibilities and duties when they handle PHI.

3 HIPAA compliant procedural steps

  1. Ensure all employees are appropriately trained on HIPAA compliance and leverage the right technology to overcome human error, such as forgetting to press a button or typing a password to encrypt an email when sending PHI. Human error accounts for the vast majority of email-related HIPAA violations. Because of this, Paubox email solutions eliminate doctor or patient errors related to sending an email that is not secured. You can take advantage of a no-risk trial here.
  2. HIPAA requires reasonable safeguards for PHI, like encryption. If you choose not to use a third-party email encryption service, you will need to take the time to audit your organization with this assessment. 
  3. Limit access to PHI to only staff members who need it to do their jobs.
Seamless email saves time. 2023 update HIPAA email definitive guide

The easiest way to send HIPAA compliant email

The easiest way to send email in compliance with HIPAA is seamless encryption. It gives providers the expected benefit—HIPAA compliant email—without asking senders or recipients to change their behavior. Secure all email sent from your server without the need for additional security steps for you or your email recipients and remain HIPAA compliant.

Seamless email workflow for your staff

It is a stressful and time-burning burden for staff to decide if an email needs encryption. But encrypting email by default eliminates the risk and stress of accidentally sending unencrypted PHI over email.

Because for a distracted or busy employee, hitting the send button without noticing that an email contains ePHI is far too easy and makes for a very costly mistake.

Seamless and secure email connections with your patients

Find a solution that allows you to write and send HIPAA compliant emails as usual from a laptop, desktop or mobile device without needing to enter passwords, download an app or log into a portal.

The reality is, having portals and passcodes is a security “check in the block.” Email’s purpose is to communicate. But if you make your patients log in, the odds are you will not be communicating with them. In fact, only 1/3 of people with access to portals use them, but over 90% of U.S. adults regularly use email.

Paubox email integrates with microsoft and Google. 2023 update HIPAA email definitive guide

Seamless and secure integration into your existing email provider

Fortunately, Paubox integrates with Google Workspace, Microsoft 365 and other commercial email providers. So, conveniently, you don’t have to change your email address.

Seamless HIPAA compliant email and a more secure inbox

What’s more, our Plus and Premium subscriptions add robust spam, virus, ransomware and phishing protection. Unfortunately, phishing scams are still the most common way email gets hacked and continue to lead to HIPAA violations.

Finally, Paubox provides a BAA to all members. In addition, no minimum number of staff members or providers is required.

Quick guide to HIPAA regulations and rules you need to know

HIPAA rules you need to know. 2023 update HIPAA email definitive guide

HIPAA compliant email and the HIPAA Enforcement Rule

The U.S. Department of Health and Human Services (HHS) created HIPAA to improve healthcare standards and combat PHI fraud and abuse. Additionally, the Office for Civil Rights (OCR) regulates and enforces the act, which consists of the following sections (or titles). Most referenced is Title II, as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form.

6 rules of HIPAA you need to know

  1. Privacy Rule (2003): covers the protection of PHI as well as compliance standards
  2. Security Rule (2005): sets required security standards to protect ePHI
  3. Enforcement Rule (2006): provides a general guide for compliance, investigation and penalties for violations
  4. HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
  5. Breach Notification Rule (2009): sets the procedures for reporting breaches
  6. Final Omnibus Rule (2013): incorporates HITECH further by improving privacy protections
HIPAA rules. 2023 update HIPAA email definitive guide

Does the HIPAA Privacy Rule permit healthcare providers to use email to discuss health issues and treatment with their patients?

Yes. In 2000, the HIPAA Privacy Rule created a set of national standards for safeguarding certain health information for the first time. Providers can communicate electronically with their patients under the Privacy Rule, provided they apply reasonable safeguards.

HIPAA does not mandate encryption

Although HIPAA does not mandate encryption, you must perform a risk assessment and determine that encryption is not needed to manage risks to PHI and then you can implement addressable encryption protocols. If you use addressable encryption protocols, you must document why you do not need encryption if that is what your organization decides. Then create a secure alternative for your ePHI.

Paubox recommends encryption for HIPAA compliant email

Not using email encryption is risky for your patients’ information and your organization. Encryption is the only option to securely protect PHI.

The HIPAA Privacy Rule allows covered entities to disclose PHI to a business associate. Nevertheless, business associates must assure covered entities that PHI remains within the scope of their engagement.

What is the HIPAA Security Rule?

The HIPAA Security Rule was added in 2003 to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form. Therefore, covered entities must take reasonable steps to protect ePHI in email while in transit to the recipient’s inbox.

What is HIPAA. 2023 update HIPAA email definitive guide

HIPAA Compliant Email: The Definitive Guide [2023 update]

According to HHS, recently proposed updates intend to improve the consumer experience, increase consumer understanding, simplify the plan selection process, combat discriminatory benefits that disproportionately impact disadvantaged populations and advance health equity.

Here are the proposed 2023 updates to the HIPAA Privacy Rule

  • Individuals will have the right to inspect their PHI in person, including taking notes or capturing images of medical records.
  • Covered entities’ response time for medical record requests will be shortened to 15 calendar days. Also, there will be an option for an extension of no more than 15 calendar days.
  • Responding to individuals’ requests for PHI will be clear and concise, including when business associates are involved.
  • Whenever a PHI summary is offered instead of a copy, covered entities must notify individuals that they retain the right to obtain or direct copies of PHI to third parties.
  • Individuals will be provided with access rights with a reduced burden of identity verification.
  • By requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive back electronic copies of the individual’s PHI in an electronic health record (EHR), individuals will be able to direct the sharing of PHI in an EHR.
  • Covered healthcare providers and health plans will be required to respond to certain requests for records sent to them by other covered healthcare providers or health plans according to their right of access.
  • The individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR will be limited.
  • The timelines for when ePHI must be provided free of charge to the individual will need specifying.
  • The fee structures for responding to requests to direct records to third parties will be amended.
  • Covered entities will be required to publish estimated fee schedules on their websites for access and disclosures with an individual’s valid authorization and provide individualized estimates of fees for individuals requesting copies of their personal health information, as well as itemized bills for completed requests upon request.
Source: Aris Medical Solutions

HIPAA compliant email 2023 update timelines

In order to achieve compliance with any new or modified standards, covered entities and their business associates have until the “compliance date” to establish and implement policies and practices. Additionally, HHS has previously stated that the 180-day general compliance period for new or modified standards will not apply if a different compliance period is provided in the regulation.

Why is HHS making HIPAA updates in 2023?

HHS requested answers to 54 questions from providers in 2019. Then in 2020, the department issued a Notice of Proposed Rulemaking describing several changes to the HIPAA Privacy Rule based on the responses received. Then, HHS requested comments on the proposed HIPAA changes once again in 2021. Finally, On January 5, 2022, the department released its Notice of Benefit and Payment Parameters for the 2023 Proposed Rule.

Cost of data breaches: image of man upside down with money falling out. 2023 update HIPAA email definitive guide

HIPAA violations are costly. Secure your emails to stay protected.

Certainly, HIPAA violations carry a high cost, and you can be penalized for noncompliance based on the degree of negligence. The current fines typically range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Although, according to Thompson Reuters, the penalties are adjusted to inflation and could be even higher.

What are the current penalties for HIPAA email violations?

HIPAA administrative simplification covers privacy, security, breach notification and electronic healthcare transactions. Presently, HIPAA violations are categorized into four tiers, with minimum and maximum penalty amounts within each tier, and multiple violations of an identical provision are capped annually. In accordance with HIPAA administrative simplification provisions, the following indexed penalties apply:

Penalties for HIPAA Email ViolationsFromToAnnual Cap
Tier 1: Could not have avoided with reasonable care$127$63,973$1,919,173
Tier 2: HIPAA email violation despite reasonable care$1,280$63,973$1,919,173
Tier 3: Willful neglect but corrected within a reasonable time$12,794$63,973$1,919,173
Tier 4: Willful neglect and not corrected$63,973$1,919,173$1,919,173 
Source: Thompson Reuters

What’s more, according to a report by IBM Security, healthcare data breaches cost $9.3 million on average in 2021 – a 29.5% increase over the $7.13 million average in 2020.

Undeniably, over the past 20 years, the OCR has enforced violations at a blistering pace.

Cost of healthcare data breaches. 2023 update HIPAA email definitive guide

HIPAA email breaches and violation stories

HIPAA breaches and email security

In 2021, a major healthcare data breach affected 45.7 million patient records. This is the second-highest number of records reported breached since 2015. Health insurer Anthem suffered the largest healthcare data breach on record in 2015, affecting 77.8 million people.

Undoubtedly, email continues to be a primary threat vector for healthcare. In fact, 37% of all HIPAA breaches in 2020 occurred via email.

Answers to your top HIPAA compliant email questions

  1. Is my email provider HIPAA compliant?
  2. When does my obligation to secure PHI end?
  3. What is a business associate agreement, or BAA?
  4. Is there a HIPAA email provider certification?
  5. What is the gold standard for HIPAA compliance?
  6. The best HIPAA compliant email providers.
  7. Five top HIPAA compliance software tools for secure healthcare email.

1. Is my email provider HIPAA compliant?

These popular consumer email providers are not HIPAA compliant:

  • Gmail: By far one of the most popular email providers in the world, Gmail – or Google Workspace – by itself is not HIPAA compliant. Google’s own data shows that only 90% of email sent with Gmail is delivered encrypted. For HIPAA compliance, 90% isn’t good enough. Only 100% encryption is acceptable. But you can make Gmail HIPAA compliant with a few extra steps.
  • Yahoo: Another popular email provider, Yahoo is not compliant.
  • GoDaddy: A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Microsoft 365 product, but not all Microsoft 365 email is created equal.
  • HostGator: Another popular web hosting provider that offers email hosting and is not HIPAA compliant.

2. When does my obligation to secure PHI end?

Once the email reaches the recipient, the obligation of the sender ends, and it becomes the recipient’s job to secure any PHI they have in their inbox.

3. What is a business associate agreement, or BAA?

A BAA is a required piece of HIPAA compliant email: illustration. 2023 update HIPAA email definitive guide
A BAA is a required piece of HIPAA compliant email

If you are using a third party to transmit or host ePHI, the company is legally required to sign a business associate agreement (BAA) with you. A BAA establishes that certain administrative, physical and technical safeguards are in place to protect patient data.

On the whole, it’s important to understand a crucial piece of HIPAA is that vendors providing HIPAA compliant email services to organizations must provide and sign a business associate agreement (BAA).

Therefore, covered entities or business associates entrusting PHI to a third party legally need a BAA. 

4. Is there a HIPAA email provider certification?

Presently, there is no certification that makes an email provider HIPAA compliant. However, meeting the HIPAA Privacy and Security Rule requirements and ensuring strong technical security measures to protect ePHI are in place is the best place to start.

5. What is the gold standard for HIPAA compliance?

HITRUST-CSF certified logo. 2023 update HIPAA email definitive guide

HITRUST-CSF certification is the closest thing there is to a formal HHS HIPAA certification.

Therefore, inspect vendors’ stances on safeguarding sensitive information and their ability to manage risk and check to ensure that their products are HITRUST-CSF certified. Sometimes using HITRUST-CSF certified technology and software can help with cyber liability insurance premiums.

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.

In summary, HITRUST-CSF is the gold standard of security certifications in healthcare.

6. The best HIPAA compliant email providers

Choosing the best secure email provider 2023 update HIPAA email definitive guide

Perhaps the most difficult step is next—trying to sort through the noise and pick a HIPAA compliant email provider.

For that reason, here are some factors you want to consider:

  • Is the service really HIPAA compliant?
  • How easy is it to use?
  • Does it integrate with your existing IT setup?
  • Does it require new workflows?
  • How is customer support?
  • What are the hidden costs?

7. 5 top HIPAA compliance software tools for secure healthcare email

Above all, Paubox has taken security and compliance to the next level by achieving HITRUST-CSF certification for all our products:

  1. Paubox Email Suite for standard email
  2. Paubox Email Suite Plus with inbound security
  3. Paubox Email Premium with inbound security, email archiving and DLP
  4. Paubox Email API for transactional email
  5. Paubox Marketing for HIPAA compliant email marketing

HITRUST-CSF Certified patented technology

Overall, HITRUST-CSF certified status demonstrates that our solutions have met key regulatory and industry-defined requirements and are appropriately managing risk.

Notably, this achievement places Paubox in an elite group of organizations worldwide that have earned this certification. Certainly, by including federal and state regulations, standards and frameworks, and by incorporating a risk-based approach, the HITRUST-CSF certification helps organizations address compliance challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

Additional HIPAA email compliance resources

A smiling person looking directly at the camera with the Paubox maze wrapped around him.

Paubox takes the stress out of HIPAA compliance and email

Paubox gives over 4,000 healthcare customers peace of mind by securing nearly 70,000,000 emails every month for providers and covered entities. Our technology is HITRUST-CSF certified and rated 4.9/5.0 on G2. Trust the industry experts and start using email in your practice easily, securely and in compliance with HIPAA regulations.

Looking for HIPPA compliant email in our HIPAA Compliant Email: The Definitive Guide [2023 update]?

People often confuse HIPAA email and HIPPA email. Therefore, it’s easy to Google HIPPA compliant email or HIPPA email. In short, Google is smart and knows the correct spelling while pointing you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.

The largest medical cyberattack in U.S. history?

The largest medical cyberattack in U.S. history may have occurred last week. CommonSpirit Health is suffering at the hands of a not-yet-identified ransomware group. The number of medical records affected could be as high as 20 million.

Read on to learn more, including why healthcare is under attack and the steps to take if your medical record is leaked.

The largest medical cyberattack in US history?

CommonSpirit Health is the nation’s fourth-largest hospital system with 142 hospitals in 21 states.

CommonSpirit Health’s Statement

Over the course of this past week, we have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created. 

As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care. 

Our facilities are following existing protocols for system outages, which include taking certain systems offline, such as electronic health records. 

In addition, we are taking steps to mitigate the disruption and maintain continuity of care. 

To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement. 

We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process.  

Systems serving Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident. For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.  

Central to our decision-making has been and will continue to be our ability to carry out our mission in a manner that is safe and effective to those we serve. At CommonSpirit Health, we are dedicated to meeting the needs of the communities we serve and are guided by our core set of values, which include integrity, excellence, and collaboration. We are grateful to our staff and  physicians who are doing everything possible to mitigate the impact to our patients and ensure continuity of care.

The CommonSpirit ransomware attack impact area

Subsidiaries of CommonSpirit affected by the attack include CHI Health facilities in Nebraska and Tennessee, MercyOne Des Moines Medical Center, Houston-based St. Luke’s Health and Michigan-based Trinity Health System. As stated above, Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident.

5 reasons why healthcare is a target for ransomware

Healthcare organizations are vulnerable to cyberattacks, even more so than other industries. The reasons why advanced persistent threat (APT) groups actively target covered entities, such as healthcare providers, pharmaceutical companies, and medical research organizations, likely include the following:

  1. Medical records are valuable on the black market and fetch up to $1,000 per record.
  2. Healthcare may be more likely to pay ransoms to get data back because lives hang in the balance.
  3. The attack surface is excessive and often left vulnerable.
  4. Untrained or overworked staff are prone to make errors.
  5. Lax security: A healthcare organization may view cybersecurity as an expense, despite the fact that that expense is small compared to what the organization could lose in the event of a data breach.

Read more: Why is healthcare a juicy target for cybercrime?

How do ransomware attacks happen?

Phishing emails are a common method of delivering ransomware attacks. An attachment is sent in an email as a link that the victim believes is trustworthy. When the victim clicks on that link, the malware in the file begins to download.

Upon entering a system, the malware begins encrypting the victim’s data. The files are then encrypted with an extension which makes them inaccessible. Once this is done, the files cannot be decrypted without a key known only to the attacker. Finally, a message will be displayed to the victim, explaining that the victim’s files are inaccessible and can only be reaccessed by paying a ransom to the attackers.

Read more: What is ransomware and how to protect against it?

Are foreign governments targeting the U.S. healthcare system?

Anne Neuberger, U.S. Deputy National Security Advisor, stressed the growing threat of foreign cyberattacks, citing U.S. government reports that identify specific “preparatory activity” targeting U.S. companies and critical infrastructure.

Further, the U.S. Department of Justice confirms that a North Korean regime-backed programmer is charged with conspiracy and responsible for the destructive Global WannaCry 2.0 ransomware attacks.

“Security needs to be top of mind for every company. Email security is the number one cause of breaches,” Paubox customer Eli Golden, Director of IT at The Jellyvision Lab, explains. “Attackers are getting smarter, and while we train our staff thoroughly with simulated attacks and live sessions, it’s best to have as much protection as possible.”

Read more: The White House warns against possible Russian cyberattacks

Healthcare executives rank ransomware as the #1 threat

A recent survey of 132 healthcare executives found that ransomware was the number one cybersecurity threat – more than data breaches or insider threats – according to the Health Information Sharing and Analysis Center, a nonprofit global cyberthreat forum for the healthcare industry.

Read more: The risks are too high for healthcare leaders not to understand Zero Trust

Take these 7 steps if your medical record is breached

  • File a police report
  • File a report with the FTC
  • Inform your insurer
  • Get copies of your medical record
  • Notify the three credit bureaus
  • Ask for corrections
  • Use strong passwords and 2FA or MFA on your accounts
Steps to take if your medical record is breached
Source: IDStrong

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST-CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are effortlessly easy to implement and use.

In fact, Paubox is securing nearly 70 million HIPAA compliant emails each month for more than 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data and organization HIPAA compliant and secure.

OCR struggles to keep up with rising ransomware cases

OCR stuggles to keep up with rising ransomware cases

According to a recent update from Politico, the Department of Health and Human Services’ Office for Civil Rights (OCR) is facing an overflowing caseload of ransomware incidents and other healthcare cybersecurity threats.  

Melanie Fontes Rainer, OCR acting director, states that investigators are “under incredible resource constraints and incredibly overworked.”

Keep reading to learn more about OCR’s challenges and proposed next steps. Plus, find out how HIPAA compliant email can help covered entities stay one step ahead.

Read more

Why the OCR budget matters to healthcare

The black market values protected health information (PHI) more than other types of personal information. That’s why cyberattacks are common in the healthcare industry.

Ransomware strikes these organizations especially hard since disruptions in care can put patients’ lives in danger. Therefore, they are more likely to comply with ransom demands.

As this threat grows, the OCR cannot provide the support needed to assist healthcare organizations. This is primarily due to inadequate funding and resources provided by Congress.

Because the OCR has a limited budget, it has a smaller investigation team than many local police departments. Consequently, investigators must handle more than 100 cases simultaneously.

Possible solutions on the horizon

In order to address this concern, the Biden administration has requested a 60 percent budget increase in 2023. As a result, the OCR would be able to hire 37 new investigators.

In addition to balancing the agency’s workload, additional resources will give the agency more opportunities to provide guidance.

Additionally, OCR officials believe implementing higher fines will boost enforcement and encourage healthcare organizations to comply with HIPAA requirements.

Healthcare cybersecurity advocates point to other solutions to reduce risks. Investing in better defense systems and workforce development is part of this strategy.

AHA‘s national adviser for cybersecurity and risk, John Riggi, has called for federal support to train staff to improve security. And Intermountain Healthcare‘s chief information security officer urges the Centers for Medicare & Medicaid Services to develop payment models that directly fund cybersecurity programs.

Secured email is secured healthcare

Covered entities can avoid falling victim to ransomware and other security threats by putting the right protections in place from the start. And with email serving as a leading threat vector for cybercrime, a stronger email security strategy is a must. That’s where a HIPAA compliant email provider comes in. 

Designed to integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules.

This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

In addition to healthcare email encryption, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block ransomware and other attacks from even reaching the inbox in the first place.

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are designed to be effortlessly easy to implement and use.

In fact, Paubox is securing 70,000,000 HIPAA compliant emails each month for over 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data, organization and patients safe.

570-The HIPAA Privacy Rule and email communication with patients

570 HIPAA privacy rule

Patients want their healthcare providers to use email to communicate with them. It is the quickest and easiest way for patients to get information. However, HIPAA regulations make it difficult for healthcare providers to use email to discuss health issues and treatment with their patients unless they use a secure email provider. In this blog post, we will explore whether or not 570 The HIPAA Privacy Rule and email communication with patients is possible.

Should I email my patients?

Patients want their healthcare providers to use email to communicate with them for a variety of reasons. First, email is the quickest and easiest way for patients to get information from their providers. Second, email allows patients to keep a written record of their healthcare discussions. That record can be helpful if they need to refer back to the information at a later date. Finally, email communication between healthcare providers and patients is often more convenient than other forms of communication.

Does the HIPAA Privacy Rule allow me to email my patients?

Despite the fact that patients want providers to use email to communicate with them, HIPAA regulations make it difficult for healthcare professionals to do so. The HIPAA Privacy Rule prohibits healthcare providers from disclosing protected health information (PHI) to individuals outside of the organization without the patient’s consent. However, email is considered an “unsecured” means of communication. That means that PHI could potentially be accessed by unauthorized individuals if it is sent via email. As a result, special precautions must be taken to ensure that PHI is not disclosed via email unless the patient has consented to such disclosure.

Secure email providers make email HIPAA compliant

One way to comply with HIPAA when using email to communicate with patients is by using a secure email provider. Secure email providers encrypt emails so that only the intended recipient can access the PHI contained within the email. This means that even if an unauthorized individual were to gain access to the email, they would not be able to read the PHI contained within it. Secure email providers typically charge a monthly fee, but this fee is often worth it for healthcare providers who need to use email to communicate with their patients.

Read more: Four steps to send HIPAA compliant email

What does HHS have to say about 507-HIPAA Privacy Rule and email?

HHS states:

The Privacy Rule allows covered healthcare providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between healthcare providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a healthcare provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a provider using e-mail. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.


In conclusion, HIPAA permits healthcare providers to use email to discuss health issues and treatment with their patients. However, special precautions are needed to ensure that PHI is not disclosed without the patient’s consent. Healthcare providers can use secure email providers or encryption to protect PHI when sending emails to patients.

Send and receive PHI with HIPAA compliant emails

With the increasing cybersecurity risks in today’s environment, maintaining HIPAA compliant communications among healthcare providers, specialists, facilities, and patients is vital. Everyone uses email, but most HIPAA compliant email solutions are complicated and difficult for both providers and patients.

Now there’s an easy way to eliminate the hassle and still have HIPAA compliant email. Paubox offers the easiest way for healthcare organizations to send and receive secure messages and attachments that comply with the protected health information (PHI) requirements of HIPAA.

Paubox integrates into email services that physicians, administrators and patients already use every day. Some of those include cloud-based email providers such as Google Workspace and Microsoft Office 365.

With more than 4,000 customers and nearly 70,000,000 emails secured per month, you can entrust your healthcare email to HITRUST CSF certified Paubox products. And our team consistently ranks 5 stars for customer service. We are here to serve healthcare.

Baton Rouge General confirmed a data breach

Hive Ransomware over a mysterious hooded figure in a circle surrounded by another circle with image of Baton Rouge General Hospital\'s building, surrounded by honeycomb pattern on top of blue tinted image of a stressed out female doctor sitting at a computer holding her forehead with eyes closed, Paubox logo in the bottom right

Baton Rouge General Health System (GHS) recently confirmed a data breach in its computer system. They operate 20 clinics and medical facilities in the Baton Rouge area and are a Mayo Clinic care network member. 

Unfortunately, this isn’t the first (and won’t be the last) healthcare organization to become a cyberattack victim.

The U.S. is experiencing a crisis of attacks on healthcare-covered entities and their business associates. IBM’s 2022 Cost of a Data Breach Report says healthcare data breaches spiked by almost $1 million per event to reach a record high of $10.1 million.

Email security must be a top priority to safeguard healthcare organizations, their patients, and their protected health information (PHI), And to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email

Healthcare organizations that don’t try harder will face the same issues that GHS currently battles.

What initially happened?

On June 29, a local, Baton Rouge news station issued a statement from GHS about a recent hack.

[GHS] is working through the effects of a cyber attack that began Tuesday. First, and most importantly, the attack has not changed our ability to care for patients. . . . The only thing that’s a little different today . . . is that we’re temporarily charting the old-fashioned way – on paper – until we can safely bring our electronic medical record and other patient systems back online.

Two months later, GHS confirmed the unauthorized access on its website. The system became aware of suspicious activity on June 28 and immediately launched an inquiry.

The investigation revealed that someone unlawfully accessed certain directories within its network between June 24 and 29. And that the threat actor could access certain directories. Given this, GHS is now undertaking a comprehensive review to determine what PHI and which patients the breach affected. Once complete, it will notify those impacted via mailed notification letters.

There is no information about the breach on the Office for Civil Rights’ (OCR) Breach Portal website. The health system did not confirm the type of data breach, or the PHI accessed.

Follow-up: a possible ransomware attack at Baton Rouge General

By July 1, before GHS’ notice, word circulated that the health system was hit by ransomware. Ransomware is malicious software that holds data hostage until someone pays a ransom to release it.

RELATED: Ransomware is more common in healthcare than you think

A copy of the ransom note pointed to the Hive group though the threat group did not confirm the information. Last year, the FBI released a flash alert about Hive ransomware. The malware typically enters a system through phishing emails or leveraged RDP (remote desktop protocol).

Once in a system, the threat actors exfiltrate and encrypt data then send a ransom note. Interestingly, GHS data has not shown up on Hive’s website, which could mean that GHS:

  • Paid the ransom
  • Are negotiating the ransom
  • Were given more time

GHS did not respond to inquiries but did release its online notice after this information was released. Since then, further reports suggest that Hive did post some of the exfiltrated data on its website. PHI exfiltrated may include court-related documentation, billing, employee health records, and patient demographic and medical information.

Costs of breach at Baton Rouge General

According to ransomware experts, ransomware recovery is a lengthy, complex process with huge expenses from lost time to lost opportunities. As we wait for more information from Baton Rouge General, we’ve already seen some of the costs of its ransomware attack. First, GHS announced and moved quickly to a paper EHR (electronic health records) system.

SEE ALSO: HHS alert: take a proactive approach to safeguarding EHR

Soon after, there were reports that GHS experienced interruption and downtime. The health system sent some patients to other locations. Furthermore, it seems that some EHR were permanently lost. But this is not where ransomware (and more than likely GHS’) costs end.

To add to these immediate losses are possible exorbitant monetary expenses:

  • Ransom (if paid)
  • Recovery and decryption fees
  • Cybersecurity additions and alterations

GHS may also have to deal with a HIPAA violation as well as an OCR investigation and fine. Finally, something we’ve seen a lot of recently, angry patients may file lawsuits given the breach of trust. In fact, patients of Ohio’s Memorial Health System recently filed after a Hive ransomware attack.

Ransomware and healthcare

This attack is just one of many recent attacks against large hospitals or healthcare networks. According to the U.S. Health & Human Services (HHS), attacks in the first five months of 2022 nearly doubled from the same period last year.

RELATED: Why is healthcare a juicy target for cybercrime?

Cybercriminals target the healthcare industry with its rich PHI. And given the tired, stressed staff in most healthcare organizations, they know that an email scheme more than likely works.

In April 2022, HHS even released an analyst note about the Hive group. Within, HHS states:

Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently. HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.

Knowing how to protect and what to protect as well as what to protect against is vital.

Keep patient PHI safe

First, the FBI and all governmental institutions strongly discourage organizations from paying a ransom. While we don’t know if GHS paid, we know that paying is not smart business. Doing so may lead the hackers to attack more organizations and incentivize other cybercriminals to engage in these activities. Furthermore, paying a ransom does not always guarantee a full recovery of data.

Rather than deal with the costs of a cyberattack, organizations must ensure strong cybersecurity and HIPAA compliance. This includes various elements but one of the most important is up-to-date employee awareness training.

RELATED: How to ensure your employees aren’t a threat to HIPAA compliance

But training is not enough on its own as human error is inevitable. Therefore, a cybersecurity program must incorporate layers of protection. Security measures should include:

  • Access controls (e.g., multi-factor authentication)
  • Segmentation
  • Offline backup
  • DLP (data loss prevention)
  • Data encryption
  • Endpoint security
  • Monitoring/responding procedures

And given the continuous use of phishing in ransomware attacks strong cybersecurity means a solid email security program.

Paubox Email Suite: proactive approach to email security

Every healthcare organization needs to implement HIPAA compliant email security. Built to seamlessly integrate with your current email platform, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outgoing communication.

Messages go straight to patients’ inboxes, with no unnecessary passwords or portals to navigate. PHI stays contained, and email, though considered the worst threat vector, remains secured.

Even better are our inbox protections. Our HIPAA compliant, HITRUST CSF certified solution impedes such techniques as spoofing with ExecProtect and keeps malware and phishing emails at bay with Zero Trust Email.

SEE ALSO: Why health systems must take ransomware protection seriously

Healthcare organizations must always be vigilant and take the extra time to implement and update their cybersecurity. We still do not know what happened to GHS but will more than likely use this data breach as a teachable moment.

Ransomware can be stopped before a situation becomes dire when healthcare organizations utilize smart cybersecurity measures like HIPAA compliant email.

Try Paubox Email Suite Plus for FREE today.

HITRUST CSF certified
4.9/5.0 on the G2 Grid
Paubox secures 70 million HIPAA compliant emails every month.

Paubox zoom mixer: horses, race cars and neon lights

Paubox Zoom Social Mixer: Image of a red race car zooming past a horse and stagecoach on a farm road - Horses, race cars and neon lights

Horses, race cars, neon lights and a lively evening

As Hoala Greevy, our founder and CEO, said previously, the Paubox Zoom Social Mixer premise is simple: We recreate things we used to do in real life (IRL) on the Internet. Hoala joined the Paubox zoom mixer to talk with the customers, prospects, and the Paubox team about our solutions for healthcare. We covered a lot of ground, including Hoala letting us in on big news, what’s up on deck from development, archiving, domain name spoofing and why comparing Paubox to competitors is like comparing a race car to a horse. 

Continue reading “Paubox zoom mixer: horses, race cars and neon lights”

How do I know contacts uploaded to Paubox Marketing are secure?

Couple on bench in front of lake overlook with mountains in the background

A question about Paubox Marketing recently came to my attention:

How do I know contacts uploaded to Paubox Marketing are secure?

In this post, we’ll answer the question and illustrate several methods to securely upload contacts to Paubox Marketing.

Adding Contacts to Paubox Marketing via Paubox Admin Panel

There are two ways to upload and add contacts to Paubox Marketing.

The first is via the Paubox Admin Panel. We require all Admin Panel logins to use multi-factor authentication (MFA). In addition, the Admin Panel uses secure HTTPS connections for all its pages. Incidentally, the same has been true since day one for all web pages on

See Related: Paubox eliminates obsolete TLS protocols, follows NSA guidance

Once logged in, you can add and upload contacts via the Contacts menu. From here, you can manually type them in or you can upload them in bulk via an Excel spreadsheet. We also provide a template spreadsheet you can download as well (it’s in the upper right corner of the Contacts page).

Adding and uploading contacts via the Paubox Admin Panel are done securely via HTTPS connections.

You can see this in action by looking at your browser (see screenshot below):

Screenshot of browser security options, under URL reads: Security

Adding Contacts to Paubox Marketing via API endpoint

You can also securely upload contacts to Paubox Marketing via its API, which we’ve documented on our Developer Docs site.

For more information on this method, we wrote about how to do it last month: How to add and delete contacts in bulk using the Paubox Marketing API

Contact Storage at Rest

Whether you add contacts by manually typing them in via the Paubox Admin Panel, or uploading them in bulk via spreadsheet or API endpoint, all contacts are encrypted at-rest in our platform.

In fact, encryption at-rest of protected health information (PHI) was a requirement during our HITRUST CSF certification process.

See Related: Paubox renews, expands HITRUST CSF certification through 2023

We document our encryption at-rest policy on our Security page:

The HIPAA Security Rule includes addressable implementation specifications for the encryption of PHI in transmission (“in-transit”) and in storage (“at-rest”). Paubox encrypts PHI in accordance with guidance from the Secretary of Health and Human Services (HHS), “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.”

Paubox encryption at rest is consistent with HIPAA guidance that is currently in effect. With Paubox at rest encryption, a unique volume encryption key is generated for each Paubox disk volume (hard drive).

Summary: Securely Uploading Contacts to Paubox Marketing

In summary, here is how we allow customers and prospects to securely upload contacts to Paubox Marketing:

  • You can upload contacts via the Paubox Admin Panel. The Admin Panel requires MFA authentication to login and all web pages are encrypted via HTTPS connections.
  • You can also upload contacts via the Paubox Marketing API. All API endpoints at Paubox are also encrypted via HTTPS.
  • All data stored on the Paubox platform, including contacts, are encrypted at-rest.
  • Paubox Marketing is HITRUST CSF certified. HITRUST is the gold standard of certifications in U.S. Healthcare.

Paubox Marketing

Prior to its launch, healthcare providers were stuck with generic messaging because it was impossible to personalize email with patient information without violating HIPAA regulations.

Now you can send your patients personalized messages that include PHI using our HIPAA compliant email marketing service, Paubox Marketing.

  • Grow your business. Send targeted, personalized messages that resonate with your audience.
  • Increase patient engagement. Drive engagement by including PHI in your HIPAA compliant email campaigns to create personalized and relevant messaging.
  • Track results. Access real-time analytics to track marketing campaign performance.
  • Improve patient outcomes. Ensure that patients don’t miss vital treatment by sending email reminders and recommendations for additional services.

Paubox Marketing is HITRUST CSF certified and is free to use for up to 100 contacts.

The free plan also includes a business associate agreement.

Kickstart your HIPAA compliant email marketing with Paubox Marketing

Operational Details of Paubox’s SMTP Service

Operational Details of Paubox\'s SMTP Service, illustration of the history of US Mail, showing postman getting mail out of post box, newsie selling newspapers, couple speaking behind mail truck, another postman on a bike and World War 2 era plane in the sky
Mail Transportation (1938) by Fletcher Martin, in the San Pedro, California, post office

In a previous post, we covered some high level details of our new SMTP service that acts as a bridge between SMTP clients and our transactional (RESTful) email API.

In this post, we’ll go over some of the implementation details of the SMTP service and how its architectural design provides benefits people have come to expect from highly reliable and secure web services and protocols.
Continue reading “Operational Details of Paubox’s SMTP Service”