Wednesday, December 21, 2022

Do NOT Disclose PHI in Online Reviews!


Consider today's post an early Christmas present!

Not to be flip about this, but this is a *serious* issue.  This year the Office of Civil Rights
(OCR) has fined and forced implementation of a Corrective Action Plan (CAP) on 2 separate dental offices in 2 separate HIPAA violations.

There is an old adage "discretion is the better part of valor" and that certainly applies here.  It seems that 2 separate offices received negative Yelp reviews.  The doctors who owned the practices responded to the complaints and publicly revealed PHI (Protected Health Information) which is a violation of Federal HIPAA laws.

If you are interested, the OCR settlement release for one of the practices can be read here.

I'm providing the link not to embarrass the office, but to provide knowledge to others that might prevent something like this from happening to another office.  The press release basically explains that offices cannot do these types of things.  Revealing PHI is *never* acceptable.

My suggestion would be to post that you are sorry for the incident and would be happy to discuss in person.  Hopefully this post can help keep someone else from a HIPAA violation.


  1. It says my comment is too long, so I'll do this in two parts:

    I *despise* all the online marketing/review stuff.

    I ran into one tool a year or so ago with "bird" in the name. It was another one of those "Oh, hey IT're going to get a call from the bird people in a few minutes. Make sure it gets installed everywhere."

    No testing, no security evaluation--just "get it installed immediately".

    Of course it was a call from India from a tech who could barely speak English. They used three different online meeting tools to get into the server in the most shady way possible.

    Had to install GoToMyPC to get them connected initially, then they installed some other tool (I don't recall which), then the used all of that to get TeamViewer installed and switch from the "watch a remote connection" to "host a remote connection" mode. They did this to bypass the TeamViewer warning about connections from India that was pretty prevalent at the time.

    Anyways, they manually copied a bunch of stuff to the Program Files directory and manually created a Windows Service, then did some hacky stuff with Eaglesoft to get the database password.

    At one point during the install, a tool popped up a UAC dialog box asking for a username and password to connect to their service....because it was a UAC box, and because all these free meeting tools weren't running elevated, the tech actually pasted an email and password into notepad and told us to copy/paste it into the dialog box.

    It took about 45 minutes per machine. Once they were done, I took that username and password and decided to test to ensure our patient data was secure.

    It wasn't. That username and password gave us full admin access to their website. We could see tens of thousands of customers all hoping to get better views on Google so they would come up at the first recommendation.

    Now you'd think that in order to solicit a Google or Yelp review would need...oh...maybe an email address or a cell phone number. Maybe a first/last name to properly address the user.

    This company downloaded *every* table in an Eaglesoft database--including addresses, social security numbers, billing data, medical history, allergies, if they had AIDS or Herpes or any number of conditions.

    ...and they uploaded it to their servers in clear text...with that original username and password in the authentication headers.

    It was absolutely atrocious.

    I immediately called the CEO and told him his company needed to do a better job of vetting the vendors he used. I told him how his patient data was at serious risk, and asked if he had the bird people sign a BAA.

    I expected to hear "Good catch. Immediately block/uninstall the tool."


    1. "This tool is going to make us a tremendous amount of money. We can't stop using it."

      I reached out to the bird people. It took about an hour, but I finally got through to someone who wasn't in India. I informed them of data being transmitted in clear-text and how the techs in India were completely incompetent. They said they would talk to the developers and get back to me in "a few weeks".

      Several months went by, and I brought it up again. Crickets.

      I finally decided to test them. I blew away their tool one one of the servers. A few days later they call in to check on it, and they went through the same process again....except they had changed the Indian tech's password. Sorta... When I asked him about it, he said it was the same password, but they appended the year and month to the end.


      It changed monthly, but they were still handing it out. It was still available in the unencrypted HTTP uploads...and the uploads were still unencrypted.

      I let the CEO know again, and again I was told to not worry about it because the tool was apparently generating tens of thousands in revenue per month.

      Finally I put the list of issues down into an email, and sent it to the CEO, and every contact I could find at that bird company. I mentioned several HIPAA cases and dollar amounts if they were ever caught. The response was "that's why we have cyber insurance".

      They continued to use the tool for 6 months. Every single patient across 37 locations potentially had their information leaked. No one cared...because it was earning them money.

      I finally sent another e-mail saying "Either you ditch this company, or I'm done at the end of the month and you'll have to find another IT company by the end of the month. I won't have my company name (I'm a 3rd-party contractor) associated with a data breach."

      To my surprise, a few days before the end of the month, I got an email telling me to uninstall the bird tool.

      To no one's surprise, I found out they spent two weeks scrambling to find another IT company, but they all wanted a lot more money and several of them actually called me to ask what was up. When I explained the situation, they said "we aren't touching that" and withdrew their estimates.

      There's a reason my own dentist only has limited information on me. First name, last name, address, and cell phone number.

      You can't breach what isn't there.

      After nearly two decades in this business and dealing with hundreds (if not thousands) of dentists, I can say it's extremely rare to come across one that has any sort of technical knowledge *and* cares more about patient data than profits.