Coventry is brazenly violating California law—and it’s impossible to tell whether it’s the result of astonishing incompetence or outright disregard for basic security and compliance.

As of this writing, literally anyone with an Internet connection can legally affirm or decline a doctor’s participation in Coventry’s Medical Provider Networks (MPNs).

California law mandates that MPNs obtain a separate written acknowledgement from each participating provider confirming their willing membership in the MPN. This is not optional—it’s a critical protection that prevents MPNs from adding doctors (and imposing MPN terms and discounts) without their knowledge or consent.

Instead of maintaining compliant agreements, Coventry keeps its official MPN physician acknowledgments on an unsecured, public-facing website that requires no login or verification.

You read that correctly—any random prankster or hacker can head to Coventry’s website and access the acknowledgements of any provider that Coventry lists.  

We can’t decide who looks worse here:

• Coventry, for making legally binding (in Coventry’s view) documents publicly available and editable on an unsecured public forum, or
• The California Division of Workers’ Compensation (CA DWC), for allowing so serious a breach of providers’ rights on their watch

CA Law: Written MPN Acknowledgements Required

California Labor Code Section 4616 is crystal clear: each MPN must maintain written acknowledgements confirming each MPN provider’s willing participation (emphases ours):

“A treating physician shall be included in the network only if, at the time of entering into or renewing an agreement by which the physician would be in the network, the physician, or an authorized employee of the physician or the physician’s office, provides a separate written acknowledgment in which the physician affirmatively elects to be a member of the network.

Copies of the written acknowledgment shall be provided to the administrative director [of the CA DWC] upon the administrative director’s request.”

But rather than complying with this law, Coventry instructs providers to “affirmatively elect” to participate in their MPNs by clicking a few buttons on their website—where any jamoke can access and alter the acknowledgements at any time.

Coventry, What Are You Doing?

To access their MPN acknowledgements, providers start by clicking the ‘MPN PROVIDER INFORMATION’ link on Enlyte’s website (Enlyte is the parent company of Coventry).

Anyone with a web browser—hacker, identity thief, disgruntled former employee—can access this page.

From there, providers (or whoever) land on Coventry’s MPN “search and update site,” where a misleading greeting awaits.

The site instructs providers to “confirm your participation in the MPNs listed for your location(s)” directly on the website. Again, the Labor Code requires “a separate written acknowledgment” for each MPN physician—not a few clicks on an unsecured public website.

Further, the Coventry site claims that “The NEW California Regulations require active acknowledgement by Providers of their participation in a [sic] MPNs.”

Of course, no “NEW” regulations require this active acknowledgement. The Labor Code and long-standing California Code of Regulations Section 9767.5.1 require it—and have for over a decade.

Next, clicking the ‘Provider Search’ button brings you to the page below, where anyone can search providers by name or other identifying information.

As an example, we were able to find all providers whose practice includes the words “Los Angeles” in just three steps.

The Coventry MPN page’s search results returned 138 providers, including each provider’s name, address, phone number, specialty, and other identifying information—along with access (including edit access) to their MPN Acknowledgement Form.

To access any provider’s MPN Acknowledgement form, we simply had to click on the “Acknowledgment Form.”

As shown in the screenshot below from a random doctor we selected, anyone can open the provider’s MPN Acknowledgement and click to confirm that the provider is “participating in the MPN” and accepts all its conditions.

As an aside illustrating how truly broken the California MPN system is, a full 25% of the MPNs listed on this doctor’s acknowledgement do not exist and have never existed according to the CA DWC’s online MPN list. How many bogus reimbursement discounts or denials has Coventry imposed on doctors based on these phantom MPNs?

The form includes a box authorizing Coventry to treat the signature “as binding as the original.” There is no verification that the person submitting the form is even remotely affiliated with the provider.

In other words: Coventry has created an MPN acknowledgement system with zero security protections—and allows the consequences to fall on providers if (and when) something goes sideways.

Where’s the CA DWC?

This breach reflects more than just Coventry’s failures—it’s emblematic of the regulatory black hole that is California workers’ comp under the CA DWC.

State law mandates that “Copies of the written [MPN] acknowledgment shall be provided to the [CA DWC] administrative director upon the administrative director’s request.” Clearly, the CA DWC has never asked Coventry for copies of these legally required acknowledgements, because as far as we can tell, they don’t exist.

We can’t know whether Coventry’s violations are the result of laziness, indifference, ineptitude—or the simple knowledge that adherence to workers’ comp laws and regulations in California is effectively optional, thanks to the CA DWC’s persistent inaction.

daisyBill keeps track of all your bills and payments — so you know when payers are coloring outside the lines. Click below to learn more:

LEARN MORE: DAISYBILL