I'm a parent looking for advice on next steps.

My child's healthcare provider uses a third-party vendor for its patient portal. While using the portal, I discovered that simply changing the profile ID in my browser's developer tools (Inspect) caused another patient's information to be returned. I documented the issue and reported it to the healthcare provider.

A month later, the provider emailed that the issue had been resolved and shortly after that, terminated my child's services. Their letter alleges I committed "unauthorized access" on four separate dates, including one where the provider asked me to provide proof of the issue, and says law enforcement confirmed my actions constituted criminal activity regardless of intent. I dispute that characterization. No law enforcement agency has contacted me.

I've spoken with two attorneys, but the consensus seems to be that this is a legal gray area, and I haven't gotten much practical guidance.

For those with experience in responsible disclosure or computer access law:

  - What should I do next?

  - I have not responded to the termination letter. Should I respond, or focus on retaining an attorney first?

  - Should I file a HIPAA complaint with HHS OCR regarding the apparent exposure of other patients' information, or wait until I have legal representation?

  - Are there organizations (EFF, ACLU, security nonprofits, etc.) that might be willing to help?

I'm not looking to debate the facts of the case; I'm trying to figure out the best path forward.