WellthCareContact
March 27, 2026Danny Mason

The Telehealth Security Problem Nobody's Talking About

I need to tell you something that's going to make you uncomfortable. Right now, your telehealth benefit-the one you rolled out to great fanfare during the pandemic-is probably your biggest compliance liability. And I'm willing to bet you have almost no visibility into the actual security posture of the platform your employees are using.

Here's what I mean: You're not just offering a convenient healthcare perk. You've created a direct pipeline between employees' personal devices and your ERISA plan's protected health information. That tablet your employee's teenager uses for TikTok? It's the same one mom's using for her mental health sessions. That smartphone running a three-year-old operating system? It's transmitting prescription data for controlled substances over public WiFi at Starbucks.

After twenty years in benefits administration and technology integration, I've seen this movie before. Well-intentioned HR leaders adopt technology that solves one problem (access to care) while creating another they don't discover until it's too late (catastrophic data exposure). The gap between who employees think is protecting their health data and who actually bears legal responsibility when things go wrong? That's what keeps me up at night.

You're More Than a Customer-You're Legally on the Hook

Most benefits teams treat telehealth vendors the same way they treat any other software subscription. Sign the contract, add it to the portal, send an announcement email, and move on to the next open enrollment task.

But there's a fundamental misunderstanding here about how liability works. Under HIPAA, when you offer telehealth through your group health plan-not as a separate wellness perk, but as actual plan coverage-you're functioning as a Covered Entity. This isn't a technicality. It means:

  • That Business Associate Agreement isn't protecting you as much as you think-it's establishing minimum compliance requirements
  • When your vendor's system gets breached, you inherit the breach notification obligations
  • Your ERISA fiduciary duty now extends to the digital security of health data
  • State privacy laws add another layer of exposure that varies depending on where your employees live

Here's the part nobody mentions in the sales presentation: Most telehealth BAAs are written to minimize vendor liability and maximize yours. I've reviewed dozens of these contracts, and the pattern is consistent. When something goes wrong, you're going to be holding the bag.

Five Security Exposures Hiding in Plain Sight

The Economics of "Free" Telehealth

Let me ask you something. If your telehealth vendor charges you nothing-or next to nothing-how exactly are they making money? I've been in enough contract negotiations to know the answer, and it should concern you.

These platforms generate revenue through data monetization. They'll tell you it's all "de-identified" and completely legal, which is technically true. But here's what that actually looks like in practice:

  • Aggregated health data sold to pharmaceutical companies for "research"
  • Condition management programs that are really just sophisticated pharma marketing
  • Third-party advertising networks that build profiles based on health behaviors
  • Analytics licensing agreements with insurers (sometimes the same carrier you already work with)

The cybersecurity implication? Every single data-sharing partnership creates another potential breach point. I reviewed one contract where the vendor had data-sharing agreements with 47 different third parties. That's not security architecture-that's a game of telephone with your employees' health information.

Try this in your next vendor meeting: "Can you provide a complete list of every third party that has access to de-identified employee data from our plan, what specific data elements they receive, and the results of their most recent cybersecurity audit?"

The silence will tell you everything you need to know.

The Impossible Device Security Problem

Here's a scenario that plays out every single day across your employee population. Someone needs to refill a prescription for anxiety medication. They pull out their phone-the same phone their kids use to watch YouTube, the one that hasn't had a software update in eighteen months, the one connected to their home WiFi that still uses the default password from the router box.

They open the telehealth app, have a video visit with a psychiatrist, discuss dosage changes and side effects, and authorize the prescription refill. All of that protected health information just flowed through a device that's also logged into Facebook, has location tracking enabled for a dozen shopping apps, and gets handed to a twelve-year-old to play games.

Now multiply that scenario across your entire employee population. People accessing sensitive health services from:

  • Ancient smartphones with known security vulnerabilities
  • Shared family tablets that multiple people use
  • Public WiFi networks at airports and coffee shops
  • Work laptops that have consumer-grade security

Courts are starting to ask a very uncomfortable question: Is it "reasonable and appropriate" under HIPAA to transmit protected health information to uncontrolled devices without verified encryption, strong authentication, or any security validation?

The honest answer is probably no. But most benefits programs are doing it anyway because there's no practical alternative that doesn't make telehealth unusable.

When we built WellthCare's Health-to-Wealth Operating System, we knew we couldn't prevent employees from using personal devices. But we could build in safeguards that at least establish that we've taken reasonable precautions. Device security attestation before accessing sensitive data. Automated encryption verification. Biometric authentication requirements for high-risk actions. Session monitoring that flags anomalies like middle-of-the-night logins from unfamiliar locations.

Prevention first isn't just our philosophy for healthcare. It's how we think about cybersecurity.

The Screenshot Vulnerability Nobody Can Fix

I'm going to share something that most vendors won't admit: There's a massive security hole in every telehealth platform, and it's completely unfixable with current technology.

Employees can screenshot anything. Everything, really. Lab results showing a positive test for a sexually transmitted infection. Prescription details for medications that reveal mental health diagnoses. Payment information that connects their identity to specific health services. Therapy session notes discussing substance abuse.

And once they take that screenshot, the protected health information leaves your secured environment forever. They text it to their spouse over unencrypted SMS. They email it to their personal Gmail account "for their records." They upload it to Google Drive as a backup. They share it in family group chats to coordinate care for elderly parents.

Every single one of those actions is a HIPAA violation waiting to happen, and there's almost nothing you can do to prevent it without making the platform so restrictive it becomes useless.

Almost nothing, but not nothing. Here's what actually works:

  1. Contractually require your vendor to implement screenshot detection with immediate user education prompts
  2. Build in screenshot logging so users get a warning and your security team gets a notification
  3. Provide secure alternatives for documentation, like encrypted downloads from a health record portal
  4. Make digital PHI handling part of your benefits enrollment education

The goal isn't to stop every screenshot-you can't. The goal is to document that you've implemented reasonable safeguards given the technological limitations. Because when that OCR auditor shows up and asks what you did to prevent PHI disclosure via screenshots, "we didn't think about it" isn't going to cut it.

Your Prescription Integration is Your Weakest Link

Modern telehealth platforms don't operate in isolation. They connect to an entire ecosystem of systems, and every connection is a potential vulnerability. When your employee gets a prescription through telehealth, here's what actually happens:

The telehealth platform connects to Surescripts, the national e-prescription network. Surescripts routes it to your PBM. Your PBM checks formulary and prior authorization. The prescription goes to a retail pharmacy's system. The pharmacy's system connects to their inventory management. Their billing system connects back to your PBM for claims processing. Insurance eligibility gets verified through another connection. If it's a mail-order prescription, add another fulfillment system to the chain.

Every single handoff is a point where data can be intercepted, stolen, or exposed through a breach.

Remember the 2023 PharMerica breach? It exposed 5.8 million patient records. The 2024 Change Healthcare ransomware attack-part of UnitedHealth-disrupted prescription processing for millions and potentially compromised billing data that's directly tied to diagnoses.

Here's the uncomfortable truth: Your telehealth vendor's cybersecurity is only as strong as their weakest integration partner. And you probably don't even know who all those partners are.

Start demanding answers:

  • How is prescription data segmented from other traffic on your network?
  • What real-time threat monitoring exists across integration points?
  • What's your actual incident response SLA, not the legal maximum?
  • Can you prove you have cyber insurance that covers breach notification and credit monitoring costs?

This is exactly why we're building WellthCare Pharmacy as part of our integrated ecosystem. When you control the entire data flow-from prevention to care to prescription to fulfillment-you eliminate ninety percent of third-party integration vulnerabilities. Healthcare that pays you back isn't just about economics. It's about security through simplification.

Mental Health Telehealth: Maximum Risk, Minimum Protection

If you think general medical telehealth security is concerning, wait until you look at mental health and substance abuse treatment.

These records get additional federal protection under 42 CFR Part 2. This regulation is stricter than HIPAA. It requires explicit patient consent before disclosure-even to other healthcare providers treating the same patient. The law was designed to protect people seeking help for addiction from discrimination and stigma.

But most mental health telehealth platforms I've evaluated aren't built with these extra protections in mind. They:

  • Store session notes in standard cloud databases with basic encryption
  • Use third-party AI transcription services to generate clinical documentation
  • Integrate with EAP providers, creating complex multi-party data flows
  • Enable "emergency contact" notifications without granular consent management

Let me paint you a nightmare scenario that's not hypothetical-I've seen variations of this happen.

An employee uses your employer-sponsored telehealth benefit for depression treatment. The platform experiences a data breach. The employee's diagnosis, complete medication list, and session notes end up on dark web forums where they're sold to data brokers. The employee finds out when they're denied life insurance because the underwriter purchased leaked health data.

Now that employee retains counsel and files suit alleging:

  • HIPAA violations because you failed to ensure vendor compliance
  • ERISA fiduciary breach for failing to protect plan participant data
  • Multiple state privacy law violations
  • Negligent supervision-you knew or should have known the vendor was inadequate
  • Emotional distress damages from disclosure of mental health status

Your liability insurance might not cover all of this. Some policies exclude cyber incidents. Others have sub-limits for privacy claims. Many exclude punitive damages entirely.

What you need to do right now:

  • Evaluate mental health telehealth security separately from general medical-don't assume they're the same
  • Get 42 CFR Part 2 compliance certification in writing, not just verbal assurances
  • Verify that behavioral health data is encrypted both in transit and at rest with separate keys
  • Audit the consent management workflow to ensure employees actually control who sees what
  • Establish internal breach notification protocols with 24-hour SLAs specifically for mental health disclosures

The RFP Checklist That Changes Everything

I've built this checklist from actual breach investigations, regulatory enforcement actions, and security gaps I've found in benefits programs at Fortune 500 companies. If your current telehealth vendor can't check every box, you need to have a very serious conversation about whether they should still be your vendor.

Technical Requirements

  • SOC 2 Type II audit completed within the last 12 months (Type I reports are insufficient-they only verify controls exist, not that they work)
  • Penetration testing conducted by an independent third-party firm at least annually
  • End-to-end encryption for all data in transit using TLS 1.3 or higher
  • AES-256 encryption for data at rest with documented key management
  • Multi-factor authentication required for all user access, no exceptions
  • Role-based access controls that limit which employees can see which data
  • Automated session timeouts after 15 minutes of inactivity
  • API security testing for every single third-party integration
  • Zero-trust network architecture, not just VPN access
  • Data loss prevention tools actively monitoring for PHI exfiltration

Vendor Management

  • Signed Business Associate Agreement with unlimited liability provisions
  • Cyber insurance coverage of at least $10 million with proof of current policy
  • Complete subcontractor disclosure listing every entity with any data access
  • Right to audit cybersecurity controls with 30-day notice
  • Breach notification SLA of 24 hours maximum, not the HIPAA ceiling of 60 days
  • Documented incident response plan reviewed by your internal IT and legal teams
  • Data retention and destruction policies that align with your document retention schedule
  • Geographic restrictions on data storage if your plan prohibits offshore servers
  • Clear protocols for PHI handling when the contract terminates

Employee Protection

  • Privacy training specific to telehealth for all enrolled employees
  • Device security guidance explaining what makes a device "safe enough" for health data
  • Phishing awareness education focused on health-related social engineering
  • Secure messaging alternatives to prevent screenshot and text message PHI sharing
  • Breach notification plan communicated proactively during benefits enrollment
  • Identity theft protection offered automatically if any breach occurs

Compliance Documentation

  • HIPAA Security Rule compliance attestation with supporting evidence
  • State privacy law compliance for California, New York, Virginia, Colorado, and any state where you have employees
  • 42 CFR Part 2 compliance for any substance abuse treatment services
  • GDPR compliance if you have any employees in the EU or UK
  • Regular risk assessments conducted at least annually with documented findings
  • Audit logging of all PHI access with seven-year retention

The One Question That Reveals Everything

In every telehealth vendor demonstration, after they've shown me the slick interface and talked about their clinical outcomes, I ask one question that cuts through all the marketing:

"Walk me through exactly what happens in the first sixty minutes after you detect a breach of employee protected health information. Who gets notified? What systems get isolated? What's the decision tree?"

If they can't answer with specific names, documented timeframes, and tested protocols, you don't have cybersecurity. You have a PowerPoint presentation.

Real incident response isn't theoretical. It's a documented playbook that gets tested regularly. It has names of actual people who will get phone calls. It has pre-approved communication templates. It has technical runbooks for system isolation. It has legal review processes that preserve attorney-client privilege.

If your vendor can't produce this documentation, or if they fumble through a vague answer about "following industry best practices," you're looking at security theater, not actual security.

What You Can Do This Week

I know this is overwhelming. You're reading this and thinking about everything else on your plate-open enrollment planning, compliance reporting, benefits renewals, budget negotiations. Adding "comprehensive telehealth security audit" to that list feels impossible.

But here's the thing: A breach will make everything else on your list irrelevant. So let me give you three concrete actions you can take this week that will meaningfully reduce your risk.

Action One: Audit Your Business Associate Agreement

Pull out your current telehealth BAA. Actually read it. Look specifically for:

  • Limitation of liability clauses that cap how much the vendor will pay if they screw up
  • Indemnification gaps where you end up bearing the costs of their breach
  • Notification timeframes-anything longer than 48 hours is unacceptable
  • Missing audit rights or vague security requirements

If your BAA is more than two years old, it was written for a different threat landscape. The types of attacks happening today didn't exist when that contract was drafted. You need an updated agreement.

Action Two: Survey Your Employees Anonymously

You need to understand your actual risk profile, not your assumed one. Send an anonymous survey asking:

  • What devices do you use to access telehealth?
  • Have you ever taken a screenshot of health information?
  • Do you share login credentials with family members?
  • Have you accessed telehealth over public WiFi?
  • Do you use the same password for telehealth that you use for other accounts?

The results will probably terrify you. But you can't fix problems you don't know exist. And when you're explaining your security posture to regulators after a breach, being able to say "we identified the risk through employee surveys and implemented mitigation strategies" is infinitely better than "we assumed everyone was following best practices."

Action Three: Create Your Breach Response Protocol

Right now, before anything goes wrong, create a one-page decision tree that answers:

  • Who gets notified internally within one hour of receiving vendor breach notification?
  • Who is the single point of contact with legal counsel?
  • Who communicates with affected employees, and what's the approval process?
  • What's the threshold for offering credit monitoring services?
  • How do you preserve attorney-client privilege during the investigation?
  • What's the escalation path to executive leadership and the board?

Don't wait until you're in crisis mode to figure this out. I've watched organizations make catastrophically bad decisions in the chaos immediately following a breach announcement because they didn't have a plan. People default to either overreacting (which creates legal exposure) or underreacting (which creates regulatory exposure).

Having a documented protocol doesn't guarantee you'll make perfect decisions. But it dramatically increases the odds you'll make defensible ones.

How WellthCare Thinks About Security

When we designed WellthCare's Health-to-Wealth Operating System, we didn't treat cybersecurity as a compliance checkbox. We built it into the foundation of how the entire system operates.

Our patent-pending technology minimizes data sharing by design. Instead of connecting to dozens of third-party systems, we built an integrated ecosystem that keeps data within our control. Fewer integration points mean fewer vulnerabilities.

Our focus on preventive care means less sensitive diagnostic data flowing through systems in the first place. When employees are healthier, there's less medical information being generated, transmitted, and stored. Prevention first isn't just good healthcare philosophy-it's good security architecture.

And critically, our business model doesn't depend on monetizing employee data. When healthcare pays you back through better health and growing wealth, there's no incentive to sell information to third parties. Everyone wins together, which means integrity isn't negotiable-it's how we make money.

HIPAA compliance isn't something we bolt on at the end. It's embedded in every workflow, every data flow, every user interaction. We've built automated monitoring that flags potential violations before they become breaches. Because the best way to handle a data breach is to prevent it from happening in the first place.

The Uncomfortable Truth

Telehealth isn't going away. The convenience is too great, the cost savings too significant, the employee demand too strong. It's become an essential component of modern benefits strategies, and trying to go backward would be both impractical and unpopular.

But convenience without security isn't innovation. It's negligence.

The benefits leaders who will thrive over the next decade won't be the ones who adopted telehealth first. They'll be the ones who secured it properly, documented their diligence, and treated employee data as the sacred trust it actually is.

Because when you get this right-when you build systems where healthcare actually pays employees back while protecting their privacy and security-you're not just offering a benefit. You're building something that lasts. You're creating real value that compounds over time. You're making decisions today that will protect your organization and your people years from now.

That's what we're building at WellthCare. Healthcare that pays you back isn't just about economics. It's about doing this right, from the ground up, with security and compliance as non-negotiable foundations rather than afterthoughts.

The question isn't whether your telehealth platform will face a security incident. The question is whether you'll be able to demonstrate that you did everything reasonable to prevent it and prepared responsibly to respond to it.

Start answering that question today.

← Back to Blog