Even an async validation would be better. I have <common name>@gmail.com, and get several newspapers and some other subscriptions for free.
In one case, a person named Mary in Australia sends their loved one a gift card every year, and the retailer doesn’t provide any information about Mary. In another case, a student missed out on their work study job and a opportunity for early class enrollment due to a bad email.
It’s sad as all of these customers don’t even know that they have a problem.
Validating any contact method that has the potential of sending PII, Health, or financial data should be mandatory by law.
At least once a year I get an automated phone call from a regional hospital letting me know some minor's test results. Calling the hospital's CS department in order to notify them or somehow get my phone number removed from the account is impossible, because I'm not this person nor their legal guardian and HIPAA regulations prevent me from instigating a change on someone else's medical records or accounts.
An extra problem there is that phone numbers get reused. They might have verified the number at the time the previous person still had it.
I get all kinds of messages to someone called Amy from multiple sources, so I believe Amy really had my phone number earlier. No medical results yet, but healthcare appointment reminders for sure.
Don't call CS. File a HIPAA complaint. The provider who is sharing PHI illegally will certainly care. They have no duty to validate the phone number, but they do have to respond to a complaint saying they shared PHI with a person who is not THE person.
In one case, a person named Mary in Australia sends their loved one a gift card every year, and the retailer doesn’t provide any information about Mary. In another case, a student missed out on their work study job and a opportunity for early class enrollment due to a bad email.
It’s sad as all of these customers don’t even know that they have a problem.