Cybersecurity update: We’re making important policy changes, including email retention

IT & Epic

To keep our patients and team members as safe as possible from cybersecurity risks, Ballad Health regularly evaluates our systems, processes and workflows to ensure we’re taking every precaution possible. Following a recent review of some of our policies, we are making several updates. 

Email Retention and Mailbox Management

  • Effective June 6, emails older than 90 days, instead of 180 days, will be removed from Outlook.
  • This will apply to any folders team members have created within the email system. Emails that need to be preserved must be relocated.
  • Personal email addresses will no longer be added to the Ballad Health Global Address List (GAL).

Electronic Mail Communication

  • Ballad Health email should not be used for personal use.
  • Your Ballad Health passwords cannot be the same or similar to passwords for any of your personal accounts.

Computer Access Codes

  • Password length should be at least eight characters, but the use of passphrases with spaces separating words is encouraged. For example, instead of your password being “VirginiaHas4Seasons!”, the same password as a passphrase would be “Virginia Has 4 Seasons!” A passphrase is simply a password with spaces separating the words.
  • Your Ballad Health password must be changed every 180 days.
  • The Ballad Health domain is the primary domain used for all user authentications, and if accounts exist on other domains (e.g.,,,, the passwords on all accounts must be different.
  • If you attempt to reset your password and incorrectly answer your security questions, you will need to call the IT Service Desk to unlock your account.
  • Anytime a password needs to be communicated to other personnel, the password must be sent using an encrypted protocol (e.g., Secure Email, Secure FTP, etc.). This would apply to new team members receiving their password for the first time.
  • Any password you use for a Ballad Health account cannot be identical to or similar to any password used for a personal account.

Even a small failure in cybersecurity practices could create a weakness that ripples out, severely affecting our whole health system and inhibiting our ability to care for patients. With your help, we can keep our team members and patients safe.


  • Click here to read a list of frequently asked questions about our changes.
  • Click here to see a tip sheet about how to safely save emails you want to preserve past the 90-day deadline.
  • Click here to read our updated Ballad Health email retention and mailbox management policy.
  • Click here to read our updated Ballad Health email policy.
  • Click here to read our updated Ballad Health computer access codes/password management policy.