An anonymous reader writes "I live in the US. My physician uses a web site run by another company to maintain my health history and medical test results. I just changed my password and was shocked to see it emailed back to me in plain text. It seems to me that not following security best practices would be a violation of HIPAA, but IANAL. What are some ideas for correcting the situation? Given that their security is so messed up, who would even understand my complaint or take it seriously?"