Reporting a Potential Security Vulnerability or Concern
Epic is committed to providing secure enterprise software to its customers. We rely on our strong information security management system to guide our policies and procedures, and take great care during our software development process to avoid and address any potential security vulnerabilities. But we also recognize that not all vulnerabilities can be avoided, and we promptly investigate any reports of potential security or privacy issues in our program or software.
We encourage responsible reporting of potential security concerns using one of these methods:
- If you are an Epic community member, you can report a potential security vulnerability or concern by contacting your Epic technical services representative or technical coordinator. We will work with you to investigate the issues you report, and we will provide guidance to the rest of the Epic community as necessary, following our standard security and privacy risk escalation process.
- If you are a patient of a healthcare organization using Epic software, you can share your concerns directly with the organization where you receive care. Organizations using Epic software maintain and configure their instance of Epic software based on their organization’s unique needs, and may be better suited to address your concerns or findings.
- Security researchers, security and penetration testing companies, or anyone else can report a potential vulnerability to us directly by sending an email to firstname.lastname@example.org, or by calling our main number (608) 271-9000. We can provide a secure method for you to share the details of your findings with us.
- If you have concerns about the adherence to our information security management system, email email@example.com or call our main number at (608) 271-9000.
Please note that Epic does not offer compensation for reporting potential vulnerabilities or other issues in the software.