🎈🎉 Announcing: TrueVault Atlas Cloud 🎉🎈

by Justin Gold May 1, 2019

Two months after we launched TrueVault Atlas as a self-managed solution, we are thrilled to announce we are launching TrueVault Atlas Cloud today.

Read More

What are the penalties associated with GDPR?

by Justin Gold April 10, 2019

 As previously explained, GDPR is a new law governing the collection and use of personal data. It will affect people or organizations which are established in the European Union or which offer goods or services to or monitor the behavior of people living in the EU. It came into force on 25 May 2018.

Read More

How does GDPR define Personal Data?

by Justin Gold March 21, 2019

GDPR is based around protecting personal information for individuals and as such, the term ‘personal data’ is a critical entryway into implementing GDPR. In the regulation, ‘personal data’ is specifically defined as: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an...

Read More

What is a data subject access request?

by Justin Gold March 7, 2019

A Data Subject Access Request (DSAR) refers to a petition by a data subject (an identifiable individual about whom personal data is held) to a data controller (e.g., an organization/institution which sets personal data processing standards) regarding their personal data. A data subject may request access to their personal data record, edits or corrections to their personal data record, or request that their some or all of their personal data record with the company be deleted. The organization...

Read More

🎈🎉 Announcing: TrueVault Atlas 🎉🎈

by Justin Gold March 1, 2019


Read More

What happens after a data breach?

by Sara Kassabian January 17, 2019

If your company aligns its data processing activities with the principles of privacy by design, the likelihood of a data breach happening is less than if you don’t adhere to these principles. However, in the event a data breach does occur, the penalties under the General Data Protection Regulation (GDPR or “The Regulation”) are harsh. In this fourth blog, we unpack the consequences facing businesses that experience a data breach.

Read More

Privacy by design: Key philosophy of GDPR

by Sara Kassabian January 16, 2019

This is the third in a series of blog posts that summarize some of the key concepts of the European Union’s new General Data Protection Regulation (GDPR or “the Regulation”). Our previous posts answered two frequently asked questions: What is GDPR? and Does my business need to be GDPR compliant?. In this next blog post, we unpack one of the key principles of the Regulation — privacy by design.

Read More

Does GDPR apply to my company?

by Sara Kassabian January 15, 2019

The first blog post in our series introduced some of the fundamental concepts of GDPR. In this second blog post, we answer a question that many business owners are asking: how do I know if my business needs to be GDPR compliant?

Read More

Introduction to GDPR

by Sara Kassabian January 14, 2019

The scope of the European Union’s new General Data Protection Regulation (GDPR) is far-reaching, and has turned lives upside down for many businesses that are sustained by collecting personal data from consumers.

Read More

Inside the Vault: Searching and Fetching Data

by Sara Kassabian December 4, 2018

Virtually any business that works in the healthcare space will be accessing and managing health information. If personally identifiable information (PII) is linked with medical information, that data is considered protected health information (PHI), a special class of data that must be secured according to HIPAA standards. But building a HIPAA-compliant application requires expert knowledge in engineering for security as well as the law itself. There are few small businesses that have the...

Read More

Inside the Vault: How data flows in TrueVault

by Sara Kassabian November 20, 2018

Virtually any business that works in the healthcare space will be accessing and managing health information. If personally identifiable information (PII) is linked with medical information, that data is considered protected health information (PHI), a special class of data that must be secured according to HIPAA standards. But building a HIPPA-compliant application requires expert knowledge in engineering for security as well as the law itself. There are few small businesses that have the...

Read More

Will the midterms impact tech?

by Sara Kassabian November 13, 2018

There are few issues that garner bipartisan consensus among United States lawmakers these days, but a desire to regulate Silicon Valley has proponents on both sides of the aisle. Naturally, the priorities and means for regulation differ largely according to a lawmakers’ constituents and region, political priorities and political party.

Read More

Is antivirus software good or bad?

by Sara Kassabian November 6, 2018

Everyone remembers working on the home desktop and seeing the alert pop-up in the right-hand corner of your screen: time to upgrade your (Name Brand) antivirus software. Clicking it takes you to a web page where the company tries to upsell you on the latest enhancements to their product. Today, antivirus software (AV) or more precisely, antimalware software, is more sophisticated, and some security experts will say, begrudgingly, that tools like Windows Defender are “mostly good enough” for...

Read More

What's the difference between PII and personal data?

by Sara Kassabian October 30, 2018

The two data protection regulations that TrueVault technology helps companies comply with are the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). Both HIPAA and GDPR introduce distinct but related concepts surrounding what information constitutes as “personal”. In this blog, we clarify and untangle these definitions.

Read More

Explaining Business Associate Agreements

by Sara Kassabian October 23, 2018

If your business is exploring opportunities in the healthcare industry, chances are you will be working with health information that contains identifying details, also known as protected health information (PHI).

Read More

How does data de-identification work?

by Sara Kassabian October 16, 2018

Previously, we answered a commonly asked question: What constitutes as protected health information (PHI)? This time, we take our series a step further, and explain how de-identifying PHI will allow your business to work with health behavior data without liability.

Read More

What is PHI?

by Sara Kassabian October 9, 2018

Last week, we broke down the working definitions of personally identifiable information (PII) as it applies to laws like GDPR and CCPA. But there are laws that extend even further beyond regulating how businesses can collect and store personally identifiable information (PII) when health information is involved.

Read More

What is personally identifiable information (PII)?

by Sara Kassabian October 2, 2018

TrueVault is in the business of protecting personally identifiable information (PII) collected on behalf of your company. PII is different from other types of data, and by storing PII in our SecureVault, we limit the legal liability for businesses that interact with this sensitive data.

Read More

Comparing TrueVault and HIPAA Compliant Hosting Services

by Sara Kassabian September 25, 2018

Clients ask us a lot: What is the difference between TrueVault and HIPAA compliant hosts, such as Amazon Web Services (AWS)? The answer really comes down to risk. If you’re looking for a ready made solution to HIPAA compliance, use TrueVault. If you’re confident in your ability to build from scratch a secure and lawful platform that can store protected health information (PHI)  — essentially, build your own version of TrueVault — then you’ll start with a HIPAA compliant host, such as AWS.

Read More

Announcing Tokenization Engine

by Justin Gold September 18, 2018

Today, TrueVault is launching Tokenization Engine, a new feature of SecureVault, to help companies import healthcare data without the legal burden of HIPAA compliance. The Problem There is clear business value to leveraging health behavior data, but working with healthcare data can be problematic. If a company wishes to work with healthcare data, chances are this data includes Protected Health Information (PHI), a special class of data that requires compliance with HIPAA regulations because it...

Read More

MFA Strategies: Not All are Created Equal

by Andrew Mitchell August 3, 2018

This week Reddit disclosed a data breach, the result of account-takeover attacks targeting Reddit employees with access to user data. The attack worked because these Reddit employees used SMS-based Multi-Factor Authentication (MFA). This exposed them to a popular social-engineering attack where the assailant is able to intercept text messages by fooling the target’s cell phone provider. In these types of attacks, the perpetrator does not need to be particularly sophisticated or even technical.

Read More

Do I Need to Be GDPR Compliant?

by Jason Wang March 15, 2018

As covered in the previous blog post, GDPR is a new law regulating the processing (collection and use) of individuals’ personal data, which comes into effect on May 25th, 2018. If you are covered by GDPR, then not only will your customers expect you to be compliant, but your business partners may require it as a condition of their contracts. Moreover, the fines for breaching the Regulation are harsh, going up to €20,000,000 or 4% of your global turnover (whichever is higher). With that in mind,...

Read More

What is GDPR?

by Jason Wang March 8, 2018

The General Data Protection Regulation (GDPR) is an extensive new law regulating the collection and use of personal data of individuals in the European Union, which comes into effect on May 25, 2018. GDPR replaces the Data Protection Directive of 1995, which was the EU’s first legal framework covering data security. In the 20 years since then, the explosion in the use of computers and the internet has contributed to a huge rise in the collection and processing of personal data. Unfortunately,...

Read More

Announcing the Official TrueVault JavaScript SDK

by Dan Cleary June 21, 2017

Attention JavaScript developers! Today we are releasing the official TrueVault JavaScript SDK. The SDK abstracts away the details of making requests to our API. This will significantly reduce the time it takes to build a new project on top of TrueVault, or to add TrueVault to an existing project. To see how the SDK is used in a real project, check out the TrueVault JavaScript Sample Application. This is a full-featured React app that uses the SDK to interact with TrueVault.

Read More

Multi-Factor Authentication for Users

by Dan Cleary May 24, 2017

Earlier this year we released Multi-Factor Authentication for Accounts. This has helped our customers stave off Social Engineering attacks by requiring more than just a username and password when logging in to the TrueVault Management Console. Today we are extending MFA functionality to the end users of TrueVault applications. Now, applications that integrate with TrueVault will be able to implement MFA enrollment, authentication, and unenrollment by taking advantage of our User MFA API.

Read More

Protect Your Organization From Ransomware, Social Engineering, and Other Attack Vectors

by Jason Wang March 15, 2017

Compliance with HIPAA, although vital, is not enough to ensure that customer data will be genuinely secure: Anthem was HIPAA-compliant, and yet they still suffered one of the biggest data security breaches in history. Often, the weakest link in a system is the people operating it. Whether by accident or design, it can be all too easy for them to allow threat actors access to your systems, giving them the opportunity to do what they want with patient data.

Read More

Multi-Factor Authentication for Accounts

by Andrew Mitchell March 10, 2017

Today we're happy to announce Multi-Factor Authentication for the TrueVault Management Console. Many of the threats our customers face are the result of human, not technical, errors. Social Engineering encompasses a broad range of attacks that are especially difficult to defend against because they exploit human mistakes: clicking on a phishing link, typing a password in public, running dubious software, joining an untrusted network, etc. TrueVault is working hard to keep your data safe even...

Read More

Better Access Control with Less Configuration: Ownership

by Andrew Mitchell January 26, 2017

A major pillar of security is access control. It doesn't matter how strong your encryption is if your access control rules are too broad and you unintentionally give the wrong user access to too much information. At TrueVault, we strive to make it easy for you to build a secure product from top to bottom. This means that it's not enough for us to put your data in an iron-clad vault; we also need to help you precisely control access to each record.

Read More

Why Friday's Massive DDoS Attack Should be Terrifying

by Andrew Mitchell October 22, 2016

Friday's massive DDoS attack made a number of hugely popular websites unavailable for much of the country for large parts of the day. Our service wasn't directly affected by this incident, but the nature and scope of this attack is tremendously worrisome. DDoS In a Denial of Service (DoS) attack, the perpetrator overwhelms a target company by flooding their service with so much phony traffic that their service is unable to serve authentic requests.

Read More

Data De-Identification - An Easier Way to HIPAA-Compliance

by JoAnna R. Nicholson September 27, 2016

Creating a HIPAA-compliant product doesn’t have to be a harrowing experience, but most teams unwittingly choose the slowest, riskiest, and most challenging path to compliance. This post seeks to shed some light on a faster and simpler approach: Data De-Identification. If you take the hard path, retrofitting an existing application to become HIPAA-compliant can be a huge undertaking:

Read More

Sending Personalized Email with TrueVault

by Andrew Mitchell September 15, 2016

TrueVault has partnered with SendGrid to send personalized emails to your customers using the TrueVault API. This post walks you through the integration process and shouldn't take more than fifteen minutes to complete. Setup in SendGrid The first thing to do is setup a new SendGrid Account. If you just want to try this out, you can take advantage of SendGrid's generous free plan, which lets you send 12k emails per month.

Read More

Keep Your Data Out Of The Wrong Hands

by Andrew Mitchell June 9, 2016

We approach security from two angles: prevention and mitigation. Of course we do everything we can to prevent a breach, but we know that isn't enough. History has proven that the software we all depend on has vulnerabilities. We design systems with this reality in mind, and do everything we can to mitigate the damage if a breach occurs. Today we're asking for feedback on a product our R&D department is exploring, which will drastically reduce your exposure if your system is compromised.

Read More

Understanding the EU/US Privacy Shield and Its Impact on Business

by Jason Wang May 11, 2016

The US/EU Safe Harbor framework has been invalidated, but a new agreement known as the EU/US Privacy Shield is in the process of being implemented. The new agreement introduces a series of limitations on the processing of European data that will have serious implications for U.S. companies handling European citizen data. Here is what this new agreement entails, what it will mean in practice, and what you should know going forward.

Read More

7 Tips for a Successful mHealth Strategy

by Jason Wang April 6, 2016

TrueVault works with healthcare organizations and channel partners to deliver foundational technologies to power their mHealth strategies. Doing so has given us plenty of opportunity to develop a deep understanding of what works (and what doesn’t) as healthcare organizations proceed on this journey. Here we’ll share some of our key insights, to help you successfully drive forward your organization’s mHealth strategy and avoid some of the potential pitfalls.

Read More

Driving business value through mobile in the health insurance industry

by Jason Wang March 10, 2016

This is the first in a series of posts. Our health insurance customers tell us that they face intense business challenges. Government mandates are pushing costs up and reducing profitability. Health insurance leaders are consolidating (e.g., Aetna’s $37 billion acquisition of Humana) into fewer, larger companies, in an effort to leverage economies of scale and scope to drive down their cost structures. Indeed, some industry executives and CFOs predict, “Big is going to be better.

Read More

TrueVault Unaffected In UCLA Health Breach

by Jason Wang July 23, 2015

Recently, UCLA Health experienced a data breach. UCLA Health is a TrueVault customer, however, data stored in TrueVault was not affected by the breach. TrueVault continues to maintain the highest level of security and protection of our customer’s sensitive data. If you have any questions, please contact our security team at

Read More

Introducing TrueVault Connect

by Jason Wang May 28, 2015

Today we’re excited to announce the general availability release of TrueVault Connect, an identity management solution empowering businesses to share sensitive data with third party applications securely. TrueVault Connect allows authorized applications to access enterprise data in standards-compliant fashion. With TrueVault Connect, end users can grant third party applications the access to their own data, while enterprises maintain control of how data is being accessed. With sophisticated...

Read More

What is Protected Health Information?

by Morgan Brown January 11, 2015

Protected Health Information, or PHI, is the personally identifiable health information that HIPAA regulates and protects. But HIPAA was written nearly 20 years ago for a mostly analog world of paper files and physical x-rays—the iPhone wasn't even a dream. In today's world of wearables, health apps, genetic sequencing and more, getting a precise definition of PHI can be confusing for developers trying to parse whether they need to be HIPAA compliant or not.

Read More

Top mHealth Apps for September

by Morgan Brown October 20, 2014

Apps continue to grow in importance for smartphone users, as more people spend more time in apps and less time on the mobile web. With the recent launches of HealthKit, Apple Watch and more, health and wellness is no exception to the trend. September’s most in-demand mhealth and medical apps for iOS and Android offer everything from tracking medical information, getting or staying in shape, consulting with physicians, and even helping others.

Read More

POODLE Security Update

by Jason Wang October 16, 2014

Yesterday, an embargo on a major vulnerability with SSL named POODLE ended [0]. This vulnerability POODLE (Padding Oracle On Downgraded Legacy Encryption) is caused by downgrading of SSL connection from TLS to to SSLv3 and then exploiting SSLv3's weak ciphers to steal "secure" HTTP cookies/tokens/headers. More details about the vulnerability can be found in the release drafted by Google on the OpenSSL website[1]. This vulnerability did not affect TrueVault. In fact, TrueVault removed support...

Read More

Apple’s HealthKit vs. Google Fit [Infographic]

by Morgan Brown October 14, 2014

The field of mHealth has never been hotter as more people add wearables to their list of must-have devices. With the release of the iPhone 6 and HealthKit, Apple is now one of the largest digital health platforms in the world. It’s clear that we’re at the very beginning of a megatrend in personal health technology. Apple’s not the only one jumping on the mHealth bandwagon, however. Google released Google Fit and Android Wear, and Samsung threw their hat into the ring with SAMI (Samsung...

Read More

What is HIPAA Compliant Hosting?

by Morgan Brown October 6, 2014

According to security guidelines established by HIPAA (the Health Insurance Portability & Accountability Act), it’s not only covered entities—that’s those who provide treatment, payment, and operations in healthcare—but also their business associates—that’s anyone who develops mHealth, eHealth, or wearable applications that deal with Protected Health Information (PHI)—who are required to meet national standards for Physical, Administrative, and Technical security of health information. When it...

Read More

HIPAA Compliance Checklist [Download]

by Morgan Brown October 6, 2014

Establishing and maintaining HIPAA compliance for healthcare applications can be a time consuming and frustrating ordeal for developers. From the administrative safeguards that the business needs to implement, to the technical and physical safeguards that require software architecture and custom development, the process can add months to a development timeline and expensive technical debt that requires ongoing attention and refactoring. Unfortunately, using HIPAA-ready hosting like Amazon’s AWS...

Read More

Shellshock Bash Bug and TrueVault

by Jameson Lee September 25, 2014

Yesterday, a critical exploit was announced that affects Linux servers through bash, aka the Bourne Again SHell. The vulnerability involves how Bash processes environmental variables. With specifically crafted variables, intruders could invoke shell commands, making the system vulnerable to even greater assault. TrueVault was notified of the bug via the publication of the issue and patch information on, the leading security mailing list. Upon notification of the threat TrueVault...

Read More

Introducing the TrueVault Partner Program

by Morgan Brown August 26, 2014

Today we’re excited to introduce the TrueVault Developer Partner program. The Developer Partner program is designed to make it easier for application developers and agencies to work with TrueVault to build the next generation of healthcare applications for their clients. If you build mobile and web-based applications for hospitals, doctors or other healthcare providers, or if you’re an agency or development shop who specializes in building for the healthcare vertical, we want you to be a part...

Read More

5 Things CIOs Should Do in Light of the 4.5 Million Community Health Systems Patient Records Theft

by Morgan Brown August 19, 2014

Community Health Systems, which manages 206 hospitals in 29 states, reported this week that they were victims of Chinese hackers who infiltrated and stole more than 4.5 million patient records. The hackers made out with names, addresses and social security numbers for patients across the network during attacks in April and June. While the hackers did not get access to the highly-valued protected health information in patient medical records, the hack represents the second largest...

Read More

What’s Next for Wearable Technology and What it Means for Health Data

by Morgan Brown July 28, 2014

Wearable technology has rapidly moved from fantasy to geeky fad, and is now shaping up to become the next big wave after tablets. Many scoff at Google’s Glass but, judging from this year’s string of product and platform announcements at Consumer Electronics Show (CES) and from Apple, Google and Samsung, wearable technology is set to be the next major wave of consumer electronics. Indeed, research firm ABI predicts that by 2017 the market for wearables in the sports and health sectors will grow...

Read More

Introducing the TrueVault Badge

by Morgan Brown July 21, 2014

Today we're excited to announce the launch of the TrueVault Badge Program for applications that use our HIPAA compliant API and data store to keep user data compliant and secure. The TrueVault Badge Program allows any TrueVault customer who has signed a Business Associate Agreement with us to display the badge on their website to show their customers they care deeply about keeping protected health information safe and secure. Why a TrueVault Badge?

Read More

HIPAA Violations are on the Rise (Infographic)

by Morgan Brown July 8, 2014

Over the past year, consumer complaints to the Office of Civil Rights regarding HIPAA violations has skyrocketed. The number of complaints rose nearly 10x between 2013 and 2003. While 2013 was a record year for complaints, 2014 is setting up to easily shatter the previous mark. Complaint volume is up 45.7% year-over-year through the month of May (the most recent month with data available). Enforcement of the new Omnibus Final Rule that was published in January of 2013 and effective as of...

Read More

Should App Developers Get HIPAA Certified?

by Morgan Brown June 17, 2014

If you are a developer and you create apps, software, or other technologies that are connected to healthcare information, you are likely dealing with the question of HIPAA compliance and whether the laws around compliance apply to you and your app. One of the first things that probably come to mind is whether you need to get HIPAA certified. It’s a reasonable question. Especially if you’ve built applications that use sensitive data like payment information, you’re used to the notion of required...

Read More

Latest Posts

What are the penalties associated with GDPR?

How does GDPR define Personal Data?

What is a data subject access request?

Mailing List