[guilloche]

I'm kind of worrying here, and wondering if I could get some advice/perspectives... especially those of you that are fairly tech savvy.

I met with a new T this week to talk about doing neurofeedback (she'd just be doing neurofeedback, I would still see my regular T for actual therapy).

It looks interesting, so I have an appointment for Monday morning to do the brain map (where they check out how your brain is currently functioning, before figuring out how to train it). I'm nervous, but also hopeful and excited.

Before I can do that though, I have to fill out a bunch of forms online - health and mental health information. Things like symptoms (so they can determine whether your symptoms are a result of the neuro-stuff)...

That's all fine... so far. Except... she sent me a link to their website, told me to login with my email address, and sent me the password in the email. A four-digit password.

I expected that I could change the password on the site... because seriously, she SENT THE PASSWORD VIA EMAIL (not encrypted, not secure!), and it's a FOUR DIGIT password (e.g. "1234") which would be ridiculously easy for someone to crack (4 digits = 10,000 possible combinations. That's it. That's not a lot!) On top of that, this is health/mental health information, and I'm in the US (I think, but am not sure HIPPA might play into how health info is stored).

There was no place to change the PW. *sigh*. OK, so I emailed her. A fairly friendly, light email asking her if there was a way to change the PW, because I couldn't find it... and it seemed like such an obvious thing that you should be able to do.

She just replied. And said nope, but not to worry! It's totally secure! They have over 500 people using it, and her husband works at a company that does "identity management".

Errr... I do not feel reassured.

I know, I'm difficult. I know, I'm making this hard. But, seriously... it's health information! And she sent the 4-digit password to me in EMAIL.

What would you do? I've been struggling to find anyone competent locally who can do neurofeedback, and she seems to be the best option.

I don't know... it doesn't feel secure. I think my only other option is to ask her if I can speak to her for a minute on the phone, and see if she can manually reset the password to something a bit better, over the phone (rather than in email, which again, is so not secure!)

Should I treat this as a huge red flag and totally bail? The appointment is Monday, and... shoot. I think I need to give 24 hours to cancel, which would mean (in business days) tomorrow (Friday) morning...

I don't know what else to do...

[atisketatasket]

I would not like that setup at all. They’re basically relying for security on hoping no one will want to hack their site as small potatoes.

I guess if she’s willing to listen and work with you on it I’d give it a try. But otherwise it depends on how much you want to do neurofeedback.

[guilloche]

Thanks ATisketATasket! Thanks so much for replying... I sometimes wonder if I'm crazy, if I'm the only person out of 500 (!) who had an issue with this.

But the more I think about it, the more upset that I'm getting. Her saying that because her husband works in "identity management" they "take security very seriously" - I want to reply and say, "no, clearly you don't!" I'm googling, and there's a TON out there that talks about why sending any passwords (not just related to health info) via email is a really dumb idea.

Arghhhh... it's never easy!

[LonesomeTonight]

That would make me uneasy as well. Would she be willing to have you print out the forms and fill them out by hand to give to her?

[guilloche]

Thanks LonesomeTonight. I thought about that, but I'm afraid that she would just manually enter the papers into the same system, which sort of defeats the purpose!

And... I just reread her email. She says that they have 500+ CLINICS using their system (the train other clinicians). Not 500 people...

Ayyy wow. I'm going to think some more on this... like I said, I think I'd be OK if I could have her manually change the password over the phone, so it's not in email. But wow... she says that they have "multiple layers of security" and "it costs a fortune to have this much security" - but she doesn't seem to get that all that goes out the window if you're emailing passwords to people!!!

[guilloche]

Ugh. Well, I just emailed her back (it's almost 1 am by me). Since my appointment was for Monday early in the morning, and she requires 24 hours to cancel... I asked her to cancel. I don't think we'll be able to resolve this first thing in the morning.

I'm really disappointed, and honestly, a little upset. I don't expect therapists to be experts at computer security - but if they have >500 clinics using their system, even if each clinic only has an average of 10 clients, that's 5000 people being emailed passwords. And there was literally no way for me to change the password myself (!). I would have been OK with it, if I could have changed it when I logged in.

I googled around to double check, and yeah, this is not secure. And it's health-related, which is just... ugh, so bad.

But what makes it worse is the response from the person... the response of, "oh no, we have a very expensive system with multiple layers of security. I can assure you, it's totally safe. My husband works in identity management and we both take security very seriously!"

I feel such a high level of astonishment - that someone with (apparently?) no real technical background isn't grasping what they're doing, and believes this is totally secure. I feel like.. it's so astounding that I almost don't have words.

I was polite (as much as I could manage) in my reply, but I did provide a couple links and explained that while the system itself may be secure (it could be, I don't know!) that emailing passwords is very much not secure.

Thanks for listening, and huge thanks ATisketATasket and LonsomeTonight for the super fast replies... it was really helpful. I feel kind of crappy right now, but I'm a very private person - even if the chance of exposure is low, I don't want all of my health info and mental health info out there, ready to be hacked. Just, no.

Thanks!

[downandlonely]

Hi guilloche,

I think you were very right to be concerned. This is a huge red flag. And it's health information. I would try and report the therapist to some sort of government agency if possible. I think what she's doing might be against the law.

[SalingerEsme]

I have also been doing neurofeedback , and balked at filling out some of the inventories my regular T scoffs at. I wanted to do it enough that I just complied. I guess I don't have so much belief in HIPPA anyway, and would be one of the 499 that didn't think about the password.

[nottrustin]

I never really thought about the security of therapy emails as I always figured who would care to read emails between little ol' me and my very private T. For the longest time googling T would only bring up the location of the hospital she worked for. I never saw her there but her private practice. It was kind of like in the computer world she didn't exist. Now googling her name will bring up the 3 obituaries and her very private Facebook page with a couple of pictures.

When I started seeing Emdr we discussed how she will not use email or anything like that outside of initial contact with potential clients because the lack if security.....her husband teaches internet security and gave her the low down.

I would definitely would not want to fill out the very personal information knowing how many clinicins and clients are accessing the program.

[feralkittymom]

You're totally right to be concerned in my view. HIPAA absolutely has plenty to say about maintaining security of records, so not only is this T clueless, but their clinic is probably in violation. If they accept insurance/Medicare/Medicaid reimbursement, they would also be in violation and are risking being shut down.

[guilloche]

Thanks guys, I was surprised to see more responses to this!

To update, my T encouraged me to try talking to another person (just down the road from me, so super convenient) about neurofeedback. She knows the woman who runs the practice, who of course had a ton of nice things to say about this particular neurofeedback-T.

I spoke with him last week, and was disappointed. He uses the same system (with the insecure PW) as the other T, but was OK with me choosing a secure password and giving it to him in person or on the phone to set it up, so that was OK. But, we didn't really hit it off, personality-wise. I felt like he wasn't understanding my questions, and his answers were lengthy and not really addressing my concerns.

As an example, I asked how he deals with any side effects that might come up - and he started talking about how there's only been one lawsuit around neurofeedback (which has nothing to do with what I was asking and was kind of weird).

So, that's a no-go. I'm still trying to figure it out, and driving myself crazy.

Pitiver - I use the free version of Bitdefender. It's OK, but sometimes it doesn't start up automatically and I don't always realize, so that's annoying. I don't know why it happens and haven't had a chance to try to fix it yet. If you have a newer computer (Windows 10) - I've heard that they're starting to build in the anti-virus stuff, so you might check in to that. It's supposed to be pretty decent, I believe, but I'm not sure of the details.

Downandlonely - Thanks! I wondered about it being a violation as well, it seems so blatantly bad to me. I think they might get away with it because their intake paperwork says that they're providing an "experimental treatment" and they "don't diagnose - etc. In other words, even though this person is a licensed therapist, it sounds like she's saying she's not acting in her role as a therapist in providing this type of treatment?

I don't know. My current T also thought it sounded like a HIPAA violation. I don't think I want to go down the road of trying to report it, honestly, since I'm overwhelmed already with life stuff right now. I think most of her clients are doing "peak brain training" stuff (i.e. people who don't identify as having psych issues, just trying to make their already good brains better), rather than seeking psych. help.

SalingerEsme - Oh wow - I would seriously LOVE to hear any advice you can pass on re: how to find someone. I'm going crazy here. It seems like "neurofeedback" covers a ton of different things (infralow, Z scores, something that doesn't use Z scores, neur-Optimal, entrainement, etc...) - and it's hard to figure out who is doing what, and what's most effective.

I feel like, with the psych stuff (CPTSD for the win!) I need someone who knows what they're doing, not someone who's just following a flow chart of "do this, then this, then this" - which I'm worried some people might be doing.

How are you liking it so far? Is it helping at all?

Nottrustin - Yeah, I know... I try to at least be mindful in my emails that they *could* be compromised (email is sent as clear text, no encrypted, and travels over several computers - and could be saved by any of them). But at the end of the day, I try not to worry too much about it. But in this case, it just felt... so blatantly dumb to have it set up this way. And so easy to fix. It's so bad... it makes me question what other dumb things they might be doing that I can't see... ! (Sorry, I hate saying that - but it's true!)