How a Billion-Dollar Startup Tried to Access My Entire Patient List: A Cautionary Tale for Every Physician
Running a successful multi-location private practice comes with its fair share of challenges—from hiring physicians to negotiating insurance contracts. But one threat I never expected came from a trusted vendor: a well-funded healthcare tech company that attempted to access the personal data of every single patient in my EMR.
This isn’t just a story about cybersecurity or HIPAA compliance. It’s a real-world warning about how even billion-dollar companies can push ethical and legal boundaries, and why every physician who owns a medical practice needs to be vigilant about who they give access to their electronic health records (EHR).
YouTube
The Pitch That Sounded Too Good To Be True
It all started when a startup—valued at nearly $3 billion and backed by half a billion dollars in venture capital—pitched us a solution that seemed perfect. They offered to handle our prior authorizations using a combination of artificial intelligence and a dedicated team. The pitch was that this would reduce time spent charting, ease our staff’s burden, and improve our practice’s workflow.
They sent over a BAA (Business Associate Agreement), a standard legal document in healthcare that ensures vendors comply with HIPAA. Everything checked out on paper. We granted them limited user-level access to our EHR through AdvancedMD, with very specific permissions to pull only the diagnosis codes necessary for prior auths.
Understanding EMR Access: API vs. User Accounts
EMR systems like AdvancedMD offer two common access points:
- APIs – Programmatic interfaces where vendors can securely pull data if granted permission.
- User accounts – Login-based access where third parties can manually retrieve information.
Both are common in practices. For example, you might create a limited-access account for a sleep lab to help them complete a prior authorization. The key is assigning the right permissions and trusting the vendor.
But trust alone isn’t enough—as I was about to learn.
The Red Flag: Suspicious Activity Detected
It was a quiet Friday afternoon when I received a flurry of system-generated emails. Someone was attempting to request access to parts of our EHR they weren’t authorized to see. I logged in immediately to investigate.
As a super admin in AdvancedMD, I had access to logs showing IP addresses and user actions. The IP wasn’t foreign; it was local, indicating the vendor themselves was behind the access attempt, not a hacker.
Digging deeper, I discovered something more troubling: they had attempted to pull full demographic data, including patient names, birth dates, addresses, phone numbers, and insurance details. Not once, but multiple times—and even filtered by insurance type, like Blue Cross Blue Shield and Medicare-age patients.
This wasn’t an accident. It was intentional.
Immediate Action: Lockdown
I revoked their access immediately and contacted our rep. As expected, they feigned ignorance.
“Let me check with the engineering team,” he said.
By Monday, I got a response: an engineer had “accidentally” tried to pull the data. The system stopped them, and no data was successfully retrieved.
But let’s be honest—you don’t accidentally attempt to export segmented patient demographics by payer and age group multiple times.
What Were They Really After?
In my opinion, they were trying to build a patient list to use for their own direct-to-consumer healthcare services. The company had recently pivoted to offer treatments like ED meds and online prescriptions—all outside the referring physician relationship.
Imagine the trust that would be broken if your patients were contacted by a third party who somehow knew their medications or insurance.
That’s not just unethical—it’s a threat to your reputation, your patient relationships, and possibly your legal standing.
Lessons for Every Physician
- Read the Fine Print, But Audit Behavior Too
Legal documents like BAAs are important, but they don’t stop bad behavior. Always monitor your system logs and audit vendor actions. - Never Assume Size = Trustworthiness
I made the mistake of thinking that a company with $500 million in VC backing would have its act together. Money doesn’t guarantee integrity. - Limit Vendor Access Granularly
AdvancedMD and most EHRs allow you to assign permissions. Use the minimum necessary rule religiously. - Know Who Has API Access
Vendors like Zocdoc (which was not the company in question) may have API access to your EMR if you integrate with their calendar or booking tools. Make sure you’re aware of what they can see and do. - Have a Plan When Things Go Wrong
Luckily, our permissions were set up correctly, and no data was stolen. But if things had gone differently, I would have needed a lawyer, a HIPAA breach report, and possibly a PR plan.
Why This Matters
Healthcare data is sacred. It’s not just about HIPAA compliance. It’s about preserving the sanctity of the doctor-patient relationship and respecting the vulnerability that comes with seeking medical care.
Tech companies entering healthcare need to understand that. And doctors need to stop assuming that big money equals best practices.
Final Thoughts
I’m lucky. We caught the attempt in real time. No data was accessed. But this experience fundamentally changed the way I view third-party integrations with our EMR.
As a practice owner, it’s your responsibility to protect your patients—not just clinically, but digitally. Be cautious. Be curious. And most of all, never assume.
If you’re building or growing a private practice, remember: owning your data is just as important as owning your building or your business model.
Want More Practice Tips?
Subscribe to my YouTube channel for real-world lessons in private practice ownership, physician entrepreneurship, and medical business strategy.
Let’s keep independent medicine alive—safely, ethically, and profitably.