[Question] (US) Any actions to prevent Medical information leak? (feddit.rocks)

submitted 3 days ago by [email protected] to c/[email protected]

8 comments fedilink hide all child comments

Hi, I just found out my dentists office is using a program called "Second Opinion" produced by "Hello Pearl". There is literally no information about what this company does in the background with my information, however I know they at the very least have:

My full legal name
X-Rays of my teeth

I'm concerned because there is literally nothing online about how to opt out of them using your data for AI training. They are an AI company and the screen the Dentist was showing me showed a pop-up about provides information being able to be used for AI training. What should I do, what are my rights?

top 8 comments

sorted by: hot top new old

[-] [email protected] 12 points 3 days ago

Talk to your dentist. If they don't offer a way to opt out, find another dentist.

[-] [email protected] 6 points 3 days ago

Yep. The dentist is shockingly dumb if they don't already have a plan and response with how this didn't fall south of HIPAA compliance.

[-] [email protected] 3 points 3 days ago

Dentist is responsible for fixing teeth, if it does not involve teeth and they dont know about it, they are fine for not knowing

[-] [email protected] 3 points 3 days ago* (last edited 3 days ago)

Most dentists in the US do fall under HIPAA. Disclaimer for some dentists in some states or some edge cases, but in general, US dentists have to comply with HIPAA.

Which means they need to select software that can be implemented in a HIPAA-compliant way and develop processes that protect PHI (protected health information). Or ensure someone on their staff is responsible for HIPAA security.

So yes, if in the US, it's worth asking the dentist how this setup is kept HIPAA-compliant. If the dentist says "IDK, I just do tooth fixing stuff" then it's time to find a new dentist; they shouldn't be trusted with any private data with or without AI in the mix.

Edit: it also took 30 seconds to find the company's website where they at least claim they are compliant to HIPAA, GDPR, and an alphabet soup of other names.

[-] [email protected] 2 points 3 days ago

HIPAA doesn't have that kind of teeth(pun intended). It just guarantees that someone at the practice claims to be responsible for the safekeeping of your protected health information (PHI). They have to report data breaches in a timely fashion. They have to protect your data with "best practices," and have plans in place to do so. It's so loosely worded; there's no requirement that all their vendors claim to be compliant. Certainly, it's easier for them to use vendors that support the alphabet soup if it comes to court, but their compliance is not hinged upon it. A few years ago, they added some specifics on encryption at rest and encryption in transit.

All they have to "prove" is that they've done a reasonably good job protecting your data and are following a couple of NIST guidelines for encryption. Certainly, half the vendors are small companies use are not doing a good job behind the scenes. They probably have people VPNing from home, using personal machines, perhaps in public places. It's very easy to say you are HIPAA compliant when providing services to a larger company because those same toothless pinky-swear best-practice rules apply to them as well.

Before I'd worry about their artifact repository vendor, who's probably at least somewhat responsible, I'd worry about their remote IT support service. Or the backups they're using, or that they properly decommission and dispose of their hardware, or that they have sufficient antivirus and anti-malware protection to stop ransomware. Dental offices make great ransomware targets.

If their vendor is using AI, chances are they're doing it the right way. They take the x-rays the software consumes the x-rays tells them with a decent likelihood whether you actually need dental work in a specific spot. The dentist comes back and checks out the spot, confirms or denies and trains the algorithm a little bit. It's not a repository of identified people's teeth they're building up, It's a repository of unidentified images getting labeled with diagnostic issues. PHI is not PHI without the I. It might even grease the insurance process. How do you know Mr Smith needed a root canal? 14 years of experience and the software flagged it as well.

[-] [email protected] 1 points 3 days ago* (last edited 3 days ago)

No not the actual dentist but his manager

[-] [email protected] 3 points 3 days ago

I've never met a dentist that was not a decision-maker in their practice.

[-] [email protected] 0 points 2 days ago

Decision maker in terms of how they want to pull your teeth out

this post was submitted on 27 May 2025

19 points (95.2% liked)

Privacy

38139 readers

732 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

[email protected]