Share:

Two veterinary clinics say client data was accessed without OK

Incidents reveal weaknesses in practice information safeguards

Published: March 20, 2023
After an animal clinic in Virginia complained that Pawlicy Advisor had tapped its practice data without authorization, the company, which deals in pet insurance, revised its approval process for accessing clinic information. It now uses a formal digital sign-up form rather than acting on a perceived verbal OK.

An administrator at a veterinary clinic outside Richmond, Virginia, was shocked earlier this year to learn that an outside company had accessed client information without authorization.

The practice was not the victim of hackers or phishing scams. The company in question, Pawlicy Advisor, basically walked into the practice database through an open door — a door that Shady Grove Animal Clinic, and possibly other practices, thought of as locked.

Learning it wasn't, and then trying to secure the portal, was "a time-consuming nightmare," said Shady Grove administrator Charlene Braman.

Two companies involved in the incident acknowledged that mistakes were made, and have taken steps to avoid repeats in the future. But Braman remains wary.

She had never even heard of Pawlicy until a veterinarian at the clinic received an email from the company on Jan. 19. The message said Pawlicy, a pet insurance comparison service, had connected to the clinic's practice information management software and was seeking permission to send emails to clients.

Founded in 2018, Pawlicy makes customized insurance recommendations to pet owners, and sells policies.

As far as Braman knew, Shady Grove had no relationship with the company. The only connection was that a veterinarian on staff, the one who received the email, had stopped by a Pawlicy booth at the trade show of VMX, a veterinary conference in Orlando, a few days before.

The veterinarian said she had simply chatted with the Pawlicy representative, indicating interest but making no deals. As an associate, she wasn't authorized to make decisions like that for the practice.

Upon learning about Pawlicy's email, Braman sent her own — to Pawlicy and to the company that owns the practice information management software, called Avimark, used at the clinic. The software owner is Covetrus, a global animal-health services business. She demanded that access to client data be shut off immediately.

In brief

* A casual conversation between a Virginia veterinarian and a salesperson at a recent conference trade show led the salesperson's business to access the veterinarian's practice database without written permission. 

* Two companies involved in the incident — Pawlicy Advisor and Covetrus — acknowledge that mistakes were made, and say they have taken steps to avoid repeats in the future.

* The VIN News Service learned of a veterinarian in Vermont who said she had a similar experience in 2021. Like the people at the clinic in Virginia, she was surprised to find out that a company could access a clinic's practice information without formal approval from the clinic.

What Pawlicy sought to do is not unusual. Hundreds of companies regularly pull information from or add information to client records stored on practice information management systems (PIMS) to do things such as send appointment and pet health reminders, process pet insurance claims or provide home delivery of medicines.

The companies, like Covetrus, that own the PIMS make agreements with these third-party companies that allow them to interact with data in clinics' computer systems.

As digital services proliferate in veterinary medicine and more companies reach into clinic records, some practice owners and managers worry about their data security. They fear practice information could fall into the hands of competitors or be used to solicit their clients without permission.

The gap in protections revealed by the episode at Shady Grove, and a similar incident at a Vermont clinic in 2021, is the sort of thing that keeps owners and managers up at night.

Covetrus widely publicizes a commitment to keeping client data secure, and then shares that responsibility with third parties without proactively verifying that those parties are following prescribed authorization procedures. 

Covetrus declined an interview with the VIN News Service but provided responses to emailed questions acknowledging a problem had occurred. The company said it had "been advised" that Pawlicy "may have violated" the terms of its integration contract "by extracting data from a veterinary practice without following appropriate agreed-to procedures."

Pawlicy is one of more than 600 Covetrus "integration partners." Each of them, Covetrus said, "agrees to abide by a strict contract related to how a veterinary customer signs up for a partner's services and clearly outlines how data may and may not be extracted and used."

Covetrus also said it believes the incident was isolated to one practice and "is likely the result of a misunderstanding" between Pawlicy and the practice. "We are working with Pawlicy to help them identify where their procedures fell short, so appropriate corrective actions can be taken," Covetrus said in early February.

Covetrus temporarily suspended recent and new Pawlicy integration connections in January. "We worked closely with Pawlicy on the remedial actions required to rescind their suspension, which was granted after an internal review process," Covetrus said last week. "We continue, however, to closely monitor their integrations with our veterinary partners to ensure they are adhering to the steps outlined in our agreed-upon action plan. If Pawlicy is found to be out of compliance again, additional actions will be determined."

Pawlicy CEO Woody Mawhinney told VIN News in February that the incident was a one-off resulting from miscommunication. He said the company representative at VMX believed the clinic associate had authorized integration and was in a position to do so. Once Pawlicy learned otherwise, "We immediately revoked the integration; no client data was kept or used," he said.

Mawhinney said he takes the issue "very seriously." Pawlicy has since modified its sign-up procedure to provide "an additional layer of written confirmation, and updated our Terms and Conditions to help avoid any miscommunications in the future."

The executive expressed frustration over the Shady Grove snafu. "It is not in our best interest not to do right by vets," Mawhinney said. "We work with many vets where the experience has been phenomenal. We take pride in that."

From curiosity to headache

Shady Grove's perspective was provided through email interviews with the clinic administrator Braman, who communicated on behalf of the clinic and the associate veterinarian.

At VMX, the veterinarian stopped by the Pawlicy booth, expressing interest in the service. A Pawlicy representative scanned a bar code on her badge, with permission, which is a customary way for exhibiting companies to collect attendee contact information.

The associate believed Pawlicy "would just email her more information" that she could share with the clinic owners, who would decide whether to use their services.

A few days later, the veterinarian received the startling email from Pawlicy "stating that integration with our Covetrus services was complete and that they were ready to begin sending messages to our clients," Braman recounted. That's when she promptly wrote back, telling Pawlicy to immediately stop all activities involving the clinic.

Braman then logged onto the Pawlicy software with credentials provided in the company's email. "[I] was shocked to find that they had pulled data from all of our clients who had visited the practice that day," she said. "The data included the clients' first and last names, their pets' names, their email addresses and phone numbers, and even what time they had visited the clinic that day." The finding left her "alarmed and upset."

She called Pawlicy. "I explained to them that our associate had no idea Pawlicy was going to do this, that this was causing a lot of stress to our associate because they were worried that they had done something wrong simply by having their badge scanned by Pawlicy," she said. She complained that no one at Pawlicy or Covetrus reached out to clinic owners to make sure they were OK with Pawlicy integrating with client data.

The Pawlicy representative initially was "cavalier about it and acted like it wasn't a big deal and tried to make excuses for it."

When she asked for the name of the person at Covetrus who gave Pawlicy access to the database, she said she was told that there wasn't a specific person at Covetrus who gives permission. "Because Pawlicy is a ‘partner' of Covetrus, they were able to ‘backdoor' (the exact word the rep used) into our Covetrus database and pull our client data that way," she said.

Braman was floored.

The next morning, she found, to her relief, that Pawlicy had removed all client information from their program. She followed up with phone calls to Pawlicy and Covetrus to request documentation demonstrating that Shady Grove had authorized access.

"I requested this of both companies even though I knew they didn't have any documentation," Braman said.

A Pawlicy representative admitted that the company didn't have any written or digital authorization from the clinic, she said, "and [they] informed me that it is not their policy to get such authorizations but that they are now changing their policies because of what happened to our clinic."

She said Covetrus replied that it didn't have documentation because that's the responsibility of the integration partners.

An earlier complaint

Although Pawlicy and Covetrus describe the Shady Grove case as a one-time event, another veterinarian told VIN News that Pawlicy accessed her practice information in 2021 without authorization — although the circumstances were different.

The incident began when Dr. Twyla Angelos, medical director for a practice in Vermont, agreed to a Zoom "lunch and learn" with the company. She said she asked for brochures after the meeting.

"A few days later, they sent an email [inviting us] to explore the website. It had all our Avimark client schedule and contact information for the upcoming week, and they were set to send out emails (solicit) to our clients without our approval," Angelos described in a written chronology provided to VIN News. "We had never agreed to use them."

She told Pawlicy to remove the information. When she asked how they were able to access her PIMS, the representative told her Pawlicy works with Vets First Choice, which the practice used as its online pharmacy.

Vets First Choice is a precursor of Covetrus. It merged with Henry Schein Animal Health in 2019 to form Covetrus. Both Angelos and apparently Pawlicy referred to Covetrus at times as Vets First Choice, although by this time, it was Covetrus. 

Angelos said that when she contacted Avimark and Vets First Choice, they gave her the "runaround" and "no one wanted to take responsibility" for what Pawlicy was doing. She said Avimark suggested a software file allowing a third party to remotely access clinic data might have been downloaded on her server without the clinic's knowledge.

No one at either Vets First Choice or Avimark told Angelos that Pawlicy was one of Covetrus' integration partners, she said. Eventually, a representative at Pawlicy explained to her that the company works with Covetrus. Angelos had the policy integration discontinued at that time.

Both Angelos and Braman told VIN News their frustration with the company didn't have anything to do with the products it offers. Angelos said she likes the services and would give Pawlicy brochures to clients to help them shop for pet insurance. Braman said, "From what I can tell, they offer unique and neat services for clients, and we may very well have been interested in using their services had they spoken with us first."

Pawlicy responds further

Pawlicy CEO Mawhinney insists that in the case of Shady Grove, a veterinarian from the clinic had approved access at VMX. "We received formal verbal confirmation and then scanned the veterinarian's barcode, as was our system at the time, to move forward with the initial integration," he said in an email last week.

"Once I was made aware of the situation, I personally spoke with the clinic directly and apologized for any confusion or complication this may have caused," he added.

Mawhinney did not answer questions about Angelos' experience or whether additional practices have complained about having data accessed without permission, but he did suggest that there has been "confusion" in the past.

"In any case where there was confusion with this process, which is rare in comparison to the many vets we partner with, we spoke with that clinic directly and addressed the situation, stopping any services before they went live," he said. "We have never initiated a live partnership without messaging the clinic ahead of launch."

Mawhinney describes the previous authorization process as having two parts. First, with verbal approval from a veterinarian or authorized clinic representative, Pawlicy would access PIMS data to create a "demo of the platform integration." Second, a link to the demo with sign-in credentials would be sent to the practice, "along with a second email offering the clinic the opportunity to not proceed with the program."

For Braman and Angelos, confirming authorization after accessing practice data and on the eve of sending emails to clients is too late.

"This absolutely should not be considered a ‘second-step verification,' " Braman said, "because at the point where we had received that email, they had already integrated with our client database without our knowledge. A true second-step verification should happen BEFORE the integration takes place."

That feedback appears to have gotten through.

"Once we learned our previous approval process may cause miscommunication for some," Mawhinney said, "we proactively chose to add an additional layer of written confirmation to help avoid any miscommunications in the future."

Pawlicy has created a new sign-up form that requires digital authorization to access clinic data. 

The form requires an "authorized representative" of the practice to agree "that Pawlicy Advisor and its integration partner Covetrus may access Veterinary Practice PIMS data for the sole purpose of providing educational services to your Veterinary Practice and your veterinary customers."

During the Western Veterinary Conference in February, Mawhinney showed the new form to a VIN News reporter, explaining that it will be used at conferences. The form is also being sent to current Pawlicy customers. 

"We are currently reaching out to existing partners to review and accept our Terms and Conditions, and this is our standard practice for new practices before they come on board," Mawhinney said in a recent email. In addition, he said, Pawlicy representatives are meeting personally with any veterinarians who have questions.

Closing — and locking — the door

Despite Pawlicy's changes to the approval process and apologies to the clinic, Braman is not consoled. During a follow-up conversation with VIN News last week, she was upset to learn that Mawhinney continues to assert that a Shady Grove veterinarian approved the integration at VMX. She said she spoke with someone who witnessed the interaction and confirmed the clinic veterinarian's account that no consent was given for access or integration.

"When [Mawhinney] spoke with me on the phone," Braman said, "he admitted that this was likely a case of an overzealous/overexcited rep who made assumptions and went ahead with the process without making sure that he actually had consent and without making sure he was even speaking to an authorized representative of the clinic," she said. "It is a little bit of a slap in the face that he is now telling others that Pawlicy did have formal verbal confirmation when they did not."

Braman said she has been told that the clinic data has been purged and the integration disabled at her clinic. But closing the door on one third-party company doesn't assure her that another integration partner won't walk through the door without permission. She'd like to see more accountability from Covetrus.

"Every time a Covetrus rep comes into our clinic and reviews one of their services with us, we always make them review their privacy policy, and they always promise that they strictly guard our client data and that they don't share it with anyone without our permission," she said. "However, the incident with Pawlicy proves that this is untrue." 

So, she's made a different deal with Covetrus: They have to notify and get approval from the clinic before going forward with any new third-party integrations.

"Now our account has an alert that says that Covetrus must confirm with us prior to integrating with another company," she said, "but I shouldn't have had to ask for that in the first place; that should be their policy for everyone because that is how their reps are telling people that they handle things."

VIN News Service commentaries are opinion pieces presenting insights, personal experiences and/or perspectives on topical issues by members of the veterinary community. To submit a commentary for consideration, email news@vin.com.

Information and opinions expressed in letters to the editor are those of the author and are independent of the VIN News Service. Letters may be edited for style. We do not verify their content for accuracy.

Share:

 
SAID=27