Big thanks to @todb for handling a private vulnerability disclosure to a pharmacy chain for me. It's great to see that their website no longer leaks PHI and it is even better that I didn't get sued, threatened, or arrested as part of getting it fixed.

It would be fantastic if organizations like HackerOne offered this as a service; their current rules require the researcher to contact the organization directly first, defeating the point of working through a less-suable intermediary :)

All the same, hurray for one less exposure!