Responsible Vulnerability Disclosure Program
athenahealth is dedicated to ensuring the security and privacy for our clients and partners across our solutions and services. Our comprehensive information security program adheres to rigorous application and infrastructure security standards throughout our software development life cycle to identify and remediate potential security vulnerabilities. While we strive to mitigate risk, we also recognize that vulnerabilities may exist that require further investigation. As a result, we encourage and prioritize any reports of potential security or privacy concerns related to our programs or software.
athenahealth invites responsible reporting of potential security and privacy issues through the following channels:
athenahealth Clients and Business Partners: athenahealth clients, vendors, and partners should report vulnerabilities or security concerns to their designated company contact (e.g. Customer Success Representative, Client Support Manager, technical representative, etc.) who will act as a liaison between reporting parties and internal teams to investigate each report. This could include working with internal teams to address validated vulnerabilities or security concerns, and providing necessary guidance to the broader athenahealth community if appropriate.
Patients: Patients utilizing athenahealth products through their healthcare organizations should contact their healthcare organization with any concerns. Each organization configures and oversees their instance of athenahealth’s software to meet their own requirements, making them best suited to address issues that reporters may have. The healthcare organization may contact athenahealth directly using their designated point of contact should they not be able to address the concern themselves.
Security Researchers and Third Parties: Report potential concerns by e-mailing securityreports@athenahealth.com. If appropriate for the situation, athenahealth will facilitate further communications via a secure method to allow sharing of details and sensitive information with internal security teams.