Should I "blow the whistle" on this online health care service? Or am I just making drama?
I’ve been trying one of those online therapy services. I’m not terribly impressed overall. One of the really annoying things is that their app stinks to high heaven. I was just now making a list of things for them that I hate about their app, and I discovered that one of those things could be exploited to get information about the other users of the service.
But how much does this particular information matter? It’s their “nickname”—not their “user name”, but a private nickname, because therapy is private, not a social network. It would be fairly easy (albeit tedious) to conjure private nicknames from this hole in their app. And presumably some private nicknames could be tied back to the actual person. Or maybe that’s too much of a stretch?
Or maybe no one else has seen this weakness? I don’t know. Should I just tell the operators of the service that they need to fix the hole, on the assumption that probably no one with malicious intent has ever found it or thought about how to exploit it? Or should I let the authorities make such determinations?
I’m not sure what to do. Is this just drama? Or do I need to do something?
Observing members:
0
Composing members:
0
11 Answers
Wait, what are you saying? They use your real name when talking to you?
Who exactly would you blow the whistle to?
Communicate with the administrator of that website to alleviate your security concerns.
@JLeslie In my private account info, there’s a field for setting my “nickname”, as the site calls it. It’s not really used anywhere, except in my own private display area. But I can discover the “nicknames” of other people using the service, by exploiting this design flaw in the app. I’m guessing that at least some people would put something in their “nickname” that could be tied back to them, compromising their privacy.
@stanleybmanly I don’t know! Maybe the HIPAA people? I haven’t worked it out that far yet. I’m still trying to decide whether it is a real thing worth thinking about.
Realistically, my take on this is that bringing an internet scam to justice amounts to tilting at windmills.
I think its the users choice to use a nickname that could be traced to their real name, so it’s not really a security issue any more than your screen name here.
No offense @stanleybmanly -if that’s your REAL name….haha
I see. When you create the nickname does it warn the nickname can be seen by others?
I think you should tell the webmaster and the contact us/customer service on the site, and tell the therapist that it could be a questionable HIPAA violation, and leaves them vulnerable.
I agree with you it’s a design flaw. Many people might put their real name as the nickname ad not understand the consequence.
I wouldn’t blow the whistle yet, I would point it out so they have a chance to solve it on their own.
I’d just alert them to the issue.
The nickname isn’t the issue. The point is the degree of alarm one should exhibit at discovery of a dubious or flawed website on the internet.
I work in healthcare. This is definitely a HIPAA violation, and you should report it to the site and to your therapist. You should also report it to your state’s HIPAA office. I urge you to take action.
Response moderated (Spam)
Answer this question 
This question is in the General Section. Responses must be helpful and on-topic.
Composing members:
0
