I get a bit upset when websites send me my username and password in an email, because I feel like they might mishandle any other data, but this most recent incident really concerns me:
After moving to a new city, I find a doctor’s office that is on my bus route and near my workplace. Upon contacting a doctor’s office by phone, I am asked to register as a new patient on their website. The next day I receive an email from the office manager with a request for a little more information. This email is formatted as a reply, and includes as quoted text all the information from the web form. As far as I can tell, this means that the web server just sends an email to the office manager with all the form responses in cleartext. This indicates that my medical history and my credit card info (including CVV) are being stored in cleartext in one or more places, and that they have no qualms emailing that info to an unconfirmed email address (the form doesn’t even have two email address boxes to guard against typos)!
So here’s my first question: would you go to a doctor’s office that was so careless with personal identifying information, medical history, and credit card info? On one hand, I don’t feel like I can trust them with my medical records, but on the other hand, they already have all that info and are unlikely to delete it completely even if I ask them directly.
My second question: would you report the office to HHS for HIPAA violation, or look at reporting them to the PCI organization? Would you tell the office that you intended to do so? I’m not interested in destroying their practice with tens of thousands of dollars in fines, but I expect they’ll resist changing anything, and I couldn’t verify it if they did.
I would bring it up to them. The people using the system just might not have any idea that what they are doing is wrong. Tell them that it’s at least breaking PCI rules and they could face a lot of fines from their credit card processor and you’re pretty sure it might be breaking HIPAA rules too.
I wouldn’t report directly but if you feel you must, I would tell them first.
I wouldn’t give it a second thought. No skin off my back if someone knows my cholesterol level.
Also, I don’t think sending you your own medical information is a HIPPA violation. The fact that emails are not 100% secure doesn’t mean anything. Nothing is 100% secure. Not the US Mail, not the doctor’s files locked in his office. The doctor should take reasonable efforts to protect medical information of patients. I don’t see this email as being unreasonable.
To clarify, you credit card & CVV info were on the email or just some of the info you entered, like your demographic info? Also was you medical history on there, & if so, was it only what you self-reported, or have you visited yet & is there any info that they gathered, from test results to simple height/weight/temp readings?
At best they may just be sloppy, at worst, they’re violating rules/laws. I’d talk to the office manager & depending upon the response decide whether I
– Clarify a misunderstanding/still want to be seen there.
– Don’t want anything to do with them.
– Report them.
The same practice (same web form) includes a different doctor who specializes in abuse and addiction problems. I would expect them to value confidentiality.
If I had contacted them by email, I feel that they could take that as confirmation of the email address. Given the amount of misaddressed email I receive because people mistype their email address in a form, I think that a single box in a web form does not constitute “checking the e-mail address for accuracy”. That said, I’d rather not report them if I can avoid it.
I haven’t been to this doctor yet, nor have I released any of my medical info to their office. The email had all the data from the web form, which included a fairly detailed history as well as credit card info.
I will talk to the office manager before making any decision, but this is definitely very sloppy at best.
:smack: Hoo boy, they’ve got all sorts of violations. Absolutely talk to someone there but it almost sounds like the office manager is too incompetent to address this to. Do you know who owns the practice, is it the doctors, or are they employees of a hospital/larger practice? Unless they bend over backwards in apologizing & follow-up that they [del]will[/del] did make changes you should report them, if only to protect the other patients at this practice.
I second finding out who owns the practice and going to them. Reporting them will possibly get them in big trouble. All I know from my own practice is that we have a ton of security going to our portal and we only use email to tell patients of appointments or to contact us or see the portal for further information. It does seem that they are assuming that since you sent them the information, it is OK to copy it but at the very least it indicates that they are sloppy about credit card information. (As a comparison, our credit card processor requires us to do a security assessment yearly which takes my IT people a couple of hours to go through and then does separate security scans of both our in-office credit card system and our portal system monthly. I know that we definitely are not allowed to store or transmit any credit card information except at the time of payment and we have to have several levels of security between the credit card transmissions and the internet.)
I agree with Spiderman and psychobunny – the practice has some issues with Protected Health Information (PHI). At the very least, the information should have been zipped and password-protected, and they should’ve contacted you with the password. At the VERY least.
A safer way for them to ask for the info is to have you register at their site, and email you if you need to go in and update or add information. That way nothing goes through the mail.