How a 2-Location Dermatology Practice Secured 50,000 Patient Photos, Built a Compliant Telehealth Platform, and Increased New Bookings by 35%

Coastline Dermatology & Skin Care operates two locations in Long Beach and Seal Beach, California. The practice employs 24 people — three board-certified dermatologists, two physician assistants, an aesthetician, medical assistants, front desk staff, and a billing team. They handle the full spectrum: medical dermatology (skin cancer screenings, biopsies, acne, eczema, psoriasis), surgical procedures (Mohs surgery, excisions), and cosmetic services (Botox, fillers, laser treatments, chemical peels).

The practice generated strong revenue from both the medical and cosmetic sides. But behind the clinical success, the technology and compliance infrastructure had been neglected for years. A combination of rapid growth, multiple service lines, and an expanding photo library created risks that Dr. Nathan Cole — the founding partner — hadn't fully appreciated until a close call forced the issue.

50,000 Patient Photos on an Unsecured System

Clinical photography is essential in dermatology. Tracking mole changes over time, documenting skin cancer progression, recording pre-and-post-treatment results for cosmetic procedures, and capturing biopsy sites for surgical planning — the practice took thousands of photos per year. Over eight years, the library had grown to more than 50,000 images.

Every photo lived on a shared network drive accessible from both locations. There were no access controls — any employee at either office could browse every patient's images. Photos were organized by date, not by patient, making it nearly impossible to pull a specific patient's full image history without searching through folders manually.

Four clinical staff members regularly copied photos to personal phones for reference between locations. Those images synced automatically to personal iCloud and Google Photos accounts. One PA had three years of dermoscopy images on her personal iPad — high-resolution photos of patients' moles, lesions, and biopsy sites stored on an unmanaged device with no encryption and no remote wipe capability.

The close call came when a medical assistant's personal phone was stolen from her car. The phone had 400+ patient photos with no passcode lock enabled. The practice had no way to remotely wipe the device, no incident response plan, and no process for notifying affected patients. They got lucky — the phone was recovered by police two days later, apparently untouched. But it exposed a gap that could have resulted in a reportable breach affecting hundreds of patients.

Telehealth on Consumer Video Platforms

During the pandemic, Coastline launched teledermatology using standard Zoom accounts. When enforcement relaxed, the practice kept using them. Three years later, they were still conducting 30 to 40 virtual visits per week on consumer Zoom — not HIPAA-compliant, not encrypted end-to-end for healthcare, and not integrated with their EHR.

Teledermatology visits involved patients showing skin concerns on camera while providers took screenshots and added them to the patient chart manually. Those screenshots were saved to local desktops, then dragged into the EHR — a workflow with multiple points where unencrypted PHI lived on unmanaged devices. Visit recordings (when providers saved them for documentation) sat in a Zoom cloud account with no BAA in place.

The practice had no telehealth consent workflow, no documentation of HIPAA-compliant video infrastructure, and no audit trail for virtual visits beyond the EHR note.

Two Locations, No Unified IT

Each location had been set up independently. The Long Beach office ran on a local server from 2019. The Seal Beach office used a different setup built by a different tech. Neither location had remote monitoring. Neither had automated patching. The practice management system and EHR worked at both locations but ran slowly because the inter-office connection was a basic VPN that dropped regularly.

When the VPN went down, providers at Seal Beach couldn't access Long Beach patient charts. This happened two to three times per month, usually lasting 30 to 60 minutes each time. During Mohs surgery days — when the surgeon operates at Long Beach and needs pathology images sent to the lab in real time — a network interruption meant the patient waited on the table while staff scrambled to restore the connection.

Backups existed at the Long Beach location but hadn't been tested. The Seal Beach office had no backup system. An equipment failure or ransomware attack at Seal Beach would wipe out three years of patient records with no recovery option.

HIPAA Compliance Was Surface-Level

The practice had a template HIPAA compliance binder purchased online in 2020. It contained generic policies that had never been customized, reviewed, or distributed to staff. No security risk assessment had ever been conducted. No Business Associate Agreements existed with their EHR vendor, photo storage system, billing clearinghouse, Zoom, lab courier service, or pathology lab. Staff had never completed HIPAA training.

For a practice handling 50,000 clinical images, conducting telehealth visits, performing surgical procedures, and operating across two locations, the compliance exposure was severe. Potential penalties for the gaps we later identified exceeded $275,000.

The Phones Were Losing New Patients

Coastline received 90 to 110 calls per day across both locations. The call mix was split between medical (skin checks, biopsy results, medication refills, referrals) and cosmetic (pricing, procedure questions, consultation bookings, package inquiries). Two front desk employees at each location handled everything — phones, check-in, scheduling, insurance verification, and payments.

Hold times during peak hours stretched past three minutes. Voicemails stacked up — 18 to 22 per day — with callbacks happening 24 to 48 hours later. For cosmetic inquiries, that delay was a deal-killer. Patients shopping for Botox or laser treatments called multiple providers. Whoever answered first usually won the booking.

After 5 PM and on weekends, all calls went to voicemail. The practice tracked new patient sources and found that 38% of cosmetic consultations originated from evening web browsing — patients who researched procedures, looked at reviews, and then called. Those calls went unanswered. Dr. Cole estimated the practice lost 8 to 12 cosmetic consultations per week to voicemail alone.

We assessed both locations over four days — every device, network path, server, photo storage system, telehealth workflow, vendor relationship, and compliance document. The findings: 26 critical vulnerabilities, 50,000+ patient photos on an unsecured shared drive, a telehealth platform with no HIPAA compliance, zero documentation that would survive an audit, and a front desk losing new patients daily.

We built a 75-day remediation plan addressing cybersecurity, managed IT, HIPAA compliance, and front office operations across both sites.

Cybersecurity: Locking Down 50,000 Patient Images

• Secure photo management platform — we migrated all 50,000+ images from the shared network drive to an encrypted, HIPAA-compliant cloud storage system with role-based access controls. Providers access only their own patients' images. Front desk and billing staff cannot see clinical photos. Every access, download, and share is logged with a full audit trail.
• Personal device remediation — identified patient photos on 4 employees' personal devices. All images were securely transferred to the compliant platform and wiped from personal phones, tablets, and cloud accounts. We deployed a secure mobile app so providers can review images between locations without storing PHI on personal devices.
• Endpoint detection and response (EDR) on every workstation and server across both locations — active threat monitoring managed from a single cybersecurity dashboard.
• Business-grade firewalls with intrusion prevention at both sites. Network segmentation separating clinical operations, payment processing, telehealth, and guest Wi-Fi.
• Email security gateway — blocks phishing, spoofing, and malicious attachments. Encrypted email for any communication containing PHI or clinical images.
• Multi-factor authentication on every account. Shared logins eliminated. Every system access tied to an individual employee.
• Quarterly security awareness training with dermatology-specific phishing simulations — fake pathology report notifications, spoofed insurance pre-authorization emails, and counterfeit medical supply promotions.

Managed IT: Two Locations, Reliable Connectivity, Telehealth Infrastructure

• Encrypted SD-WAN connection between both locations — replaced the unreliable VPN. Both offices now operate on a single secure network with consistent, high-speed connectivity. Mohs surgery days no longer depend on a flaky VPN for pathology image transfers.
• HIPAA-compliant telehealth platform — replaced consumer Zoom with an encrypted, healthcare-grade video platform integrated with the EHR. Virtual visits now include automatic documentation, secure screen capture to the patient chart, consent workflows, and a full audit trail. BAA executed with the platform vendor.
• 24/7 remote monitoring and management across all devices at both locations. Automated patch management. Cloud backup with hourly snapshots at both sites — including the first backup system ever installed at Seal Beach.
• Dedicated help desk with guaranteed response under 60 seconds. Staff at either location get immediate support without waiting for a local tech.
• Device lifecycle management — audited all 26 devices, replaced 5 past end-of-life, enrolled everything in centralized management.

HIPAA Compliance: Photo-Heavy Practice Done Right

• Full security risk assessment covering both locations — every system, every data flow, every vendor, and every clinical photography workflow documented with remediation tracking.
• 20 written policies and procedures — including dermatology-specific policies for clinical photography consent, dermoscopy image storage, telehealth documentation, before-and-after photo use in marketing, and social media use of patient images.
• Business Associate Agreements — identified 10 vendors who handle PHI (EHR, photo storage, telehealth platform, billing clearinghouse, pathology lab, lab courier, cloud backup, email provider, shredding service, IT suppliers) and executed signed BAAs with each.
• Staff HIPAA training — all 24 employees completed training covering clinical photography rules, telehealth compliance, personal device policies, and consent documentation. New hires complete training before receiving system access.
• Breach response plan — step-by-step playbook including specific procedures for photo-related incidents (stolen devices, unauthorized image sharing, social media violations).

AI Receptionist: Medical and Cosmetic Calls Handled Separately

We deployed an AI-powered phone receptionist across both locations, configured to handle the unique dual nature of a derm practice — medical and cosmetic calls require different responses, different routing, and different urgency levels.

• Cosmetic inquiry handling — the AI answers pricing questions, explains procedures and expected downtime, describes package options, and books cosmetic consultations. It provides the information prospective patients need to commit — without hold times or voicemail.
• Medical call routing — biopsy result inquiries, medication questions, and urgent skin concerns get routed to clinical staff with full context. The AI gathers relevant details before connecting so the nurse knows who's calling and why.
• After-hours and weekend coverage — cosmetic patients browsing at 9 PM can ask questions and book consultations. Medical patients calling after hours about a suspicious mole or post-procedure concern get appropriate guidance and next-day appointment booking.
• Appointment scheduling — connects to the practice management system in real time. Books medical and cosmetic appointments at either location based on provider availability and patient preference.
• Cross-location booking — when one location is fully booked, the AI offers available slots at the other. Patients see it as flexibility. The practice fills chairs.

The full deployment was completed in 75 days across both locations. Every step followed our healthcare IT framework. See how the costs break down on our pricing page.

Cybersecurity: 50,000 Photos Secured, Zero Breaches

The photo migration was the most complex piece — and the most impactful. All 50,000+ images moved from an open shared drive to an encrypted, role-based system. Providers now access only their own patients' photos. Every view, download, and share generates an audit log entry. The four employees with photos on personal devices had those images securely wiped — and understood exactly why it mattered.

In the first 12 months, the security stack blocked 312 malicious emails across both locations, detected and quarantined 28 malware attempts, and stopped two phishing attacks targeting the practice's patient portal. Zero breaches. Zero patient images exposed. Zero telehealth sessions compromised.

The phone theft scenario that originally sparked the engagement? It can't happen again. Clinical photos no longer live on personal devices. If a practice-owned device is lost or stolen, we wipe it remotely within minutes.

Phishing simulation results: first test, 26% clicked. By the fourth quarter, 6%. The fake pathology report notification was the most effective training exercise — three employees who clicked it in round one became the practice's most vigilant email screeners.

Managed IT: Zero Connectivity Drops, Telehealth Running Clean

The SD-WAN connection between locations has maintained 99.99% uptime over 12 months. The VPN drops that disrupted Mohs surgery days — two to three per month — stopped completely. Pathology images transfer between locations in seconds. Providers access charts from either site without delays.

The telehealth platform handles 35 to 40 virtual visits per week with full EHR integration. Visit documentation flows directly into the patient chart. Screen captures are encrypted and stored in the compliant photo system. The consent workflow runs automatically. Telehealth revenue increased 22% in the first six months because the improved platform made virtual visits faster for providers and easier for patients.

Monthly IT costs became predictable. The practice went from an average of $3,400 per month in break-fix charges across both locations to a flat monthly fee. First-year IT savings: $16,200.

HIPAA: Fully Compliant with Photo-Specific Documentation

Coastline now has the most thorough compliance program of any dermatology practice we've worked with. The risk assessment covers every imaging workflow, every telehealth session, and every vendor. All 10 BAAs are signed. All 24 employees have completed training.

The dermatology-specific policies — clinical photography consent, dermoscopy image retention, before-and-after marketing use, and telehealth documentation — go beyond template HIPAA kits. When the practice's malpractice carrier reviewed the new compliance posture, they reduced the annual premium by 11% — a savings of $5,800 per year.

With the volume of photos, telehealth sessions, and multi-location data flows, potential penalties before our engagement exceeded $275,000. That exposure is now documented, remediated, and audit-ready.

AI Receptionist: 35% More New Patient Bookings

The AI receptionist transformed how Coastline converts phone inquiries into booked patients. In 12 months, the system handled over 32,000 inbound calls across both locations. Of those, 66% were fully resolved by the AI — appointments booked, pricing questions answered, procedure information provided, insurance confirmed.

The cosmetic side saw the biggest impact. Consultation bookings for Botox, fillers, and laser treatments increased 35% in the first six months. The difference was simple: every call got answered on the first ring. No hold times. No voicemail. The prospective patient who called at 8 PM after browsing treatments online booked a consultation instead of calling a competitor the next morning.

After-hours bookings accounted for 24% of all new cosmetic appointments — patients who previously reached voicemail and moved on. At an average cosmetic consultation value of $400 (with many converting to treatment plans worth $1,500 to $4,000), those recovered bookings represent substantial monthly revenue.

Cross-location booking filled an additional 6 slots per week by offering patients appointments at the alternate location when their preferred office was full.

Front desk staff went from spending 3 hours per day on phones to under 45 minutes. That freed up over 55 staff hours per month across both locations — redirected to patient check-in, insurance processing, and treatment plan follow-ups.

Dr. Cole's assessment: "We had 50,000 patient photos on an open drive, telehealth on consumer Zoom, and zero compliance documentation. Any one of those could have ended us. But what I notice every day isn't the security — it's the phones. We stopped losing cosmetic patients to voicemail. That alone paid for everything else."

Running a dermatology practice with patient images on personal devices and cosmetic inquiries going to voicemail? Book a free consultation and we'll assess your photo security, telehealth compliance, IT infrastructure, and front office operations.