Rooted Health← Home

Report a Security Concern

Last updated: May 13, 2026

Found something that looks wrong? Whether you are a patient, a member of our workforce, or an outside researcher, we want to hear about it. This page tells you exactly how to reach our Privacy & Security Officer, what to include, and how quickly you can expect a response.

Primary contact

For end-to-end encrypted reports, request our PGP public key by email and we will reply with the current fingerprint and key block before you send sensitive details.

What to report here

  • Suspected unauthorized access to a patient account, portal session, or staff account
  • Vulnerabilities in this website, the patient portal, scheduling, or any Rooted Health domain
  • Suspected exposure of protected health information (PHI), payment data, or login credentials
  • Phishing or impersonation of Rooted Health staff, domains, SMS, or email
  • Lost or stolen devices that may have accessed your portal account
  • Bugs that bypass authentication, MFA, or role-based access controls

For non-security questions about your account, billing, or visits, please use the patient portal instead so we can route them to the right team.

What to include in your report

  • A clear description of the issue and the impact you observed or suspect
  • Step-by-step instructions to reproduce, including URLs and timestamps (with timezone)
  • The browser, device, operating system, and IP address used (when relevant)
  • Any screenshots, request/response samples, or logs — redact PHI before sending if possible
  • Whether you believe any data was actually viewed, copied, modified, or shared
  • Your name and a way to reach you for follow-up (anonymous reports are accepted)

Please do not attach real patient records, full SSNs, or screenshots that include other patients' information. A short description is enough for us to triage; we will request additional detail through a secure channel if needed.

Expected response times

We monitor security@rootedhealthmember.com on every business day. Our service-level targets are:

  • Acknowledgement: within 1 business day for any report received Mon–Fri 8am–5pm CT (within 2 business days for reports received over the weekend).
  • Initial triage & severity classification: within 3 business days.
  • Critical issues (active PHI exposure, account takeover in progress, ongoing data loss): investigation begins same day, with status updates at least every 24 hours until contained.
  • High-severity issues (authentication bypass, privilege escalation, broken access control): remediation plan within 5 business days.
  • Medium / low-severity issues: remediation plan within 30 calendar days, with a status update at least every 14 days.
  • Resolution notice: we will follow up in writing once the issue is fixed or formally accepted as a known risk.

If a confirmed breach of unsecured PHI occurs, affected individuals are notified within the timeframes required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414), and HHS Office for Civil Rights is notified accordingly.

Responsible disclosure (researchers)

We welcome good-faith security research on Rooted Health-owned systems. If you follow the guidelines below, we will not pursue or support legal action against you and will credit you (with permission) once the issue is resolved.

  • Test only against your own account or accounts you have explicit permission to use.
  • Do not access, modify, exfiltrate, or retain PHI, payment data, or any other user data.
  • Stop testing as soon as you confirm a vulnerability and report it to us before disclosing publicly.
  • Do not run denial-of-service, brute-force, social-engineering, physical, or third-party-vendor attacks.
  • Give us a reasonable remediation window (typically 90 days, sooner if patients are at risk) before any public disclosure.

We do not currently operate a paid bug bounty, but we are glad to provide written acknowledgement and a thank-you letter for valid reports.

Other ways to escalate

If you have already contacted our Privacy & Security Officer and believe your concern has not been addressed, you may file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights, 200 Independence Ave SW, Washington, DC 20201, 1-877-696-6775, hhs.gov/ocr. We will not retaliate against anyone who reports a concern in good faith.

See the full Security & Patient Data Protection page for details on encryption, access controls, audit logs, and your HIPAA rights.

Questions? Contact our Privacy Officer at privacy@rootedhealthmember.com · Rooted Health Hormones & MedSpa, LLC · Conway, Arkansas