Ugh. Well, I just emailed her back (it's almost 1 am by me). Since my appointment was for Monday early in the morning, and she requires 24 hours to cancel... I asked her to cancel. I don't think we'll be able to resolve this first thing in the morning.

I'm really disappointed, and honestly, a little upset. I don't expect therapists to be experts at computer security - but if they have >500 clinics using their system, even if each clinic only has an average of 10 clients, that's 5000 people being emailed passwords. And there was literally no way for me to change the password myself (!). I would have been OK with it, if I could have changed it when I logged in.

I googled around to double check, and yeah, this is not secure. And it's health-related, which is just... ugh, so bad.

But what makes it worse is the response from the person... the response of, "oh no, we have a very expensive system with multiple layers of security. I can assure you, it's totally safe. My husband works in identity management and we both take security very seriously!"

I feel such a high level of astonishment - that someone with (apparently?) no real technical background isn't grasping what they're doing, and believes this is totally secure. I feel like.. it's so astounding that I almost don't have words.

I was polite (as much as I could manage) in my reply, but I did provide a couple links and explained that while the system itself may be secure (it could be, I don't know!) that emailing passwords is very much not secure.

Thanks for listening, and huge thanks ATisketATasket and LonsomeTonight for the super fast replies... it was really helpful. I feel kind of crappy right now, but I'm a very private person - even if the chance of exposure is low, I don't want all of my health info and mental health info out there, ready to be hacked. Just, no.

Thanks!