Healthcare Practice Finder — HIPAA Risk Recon + Outreach Hooks

Find dental, medical, therapy, chiro, derm, optometry, podiatry, and physician practices in any US metro, run lightweight passive HIPAA-style web recon on each, and get back a graded lead list with paste-ready outreach hooks.

Built for MSPs, vCISOs, HIPAA compliance vendors, healthcare-focused legal firms, and security shops doing TLS-style outbound to small-practice healthcare.

Who this is for

• HIPAA outreach pros who DM dentists/therapists about web compliance
• Healthcare MSPs prospecting practices with weak external posture
• Compliance/legal vendors triaging a metro for §164.312/§164.502 web exposures
• Pen-test firms building a passive prequalification list before pitching

What it does that no other Apify Actor does

The Apify store has Google Maps scrapers (raw listings) and HTTPS checkers (raw status), but no Actor combines healthcare-practice discovery with HIPAA-style web recon and grades the result. This is a first-mover lead-gen tool.

• Discovery via OpenStreetMap Overpass API (no Maps ToS exposure, no captcha, free upstream)
• Geocoding via OSM Nominatim — pass "Atlanta, GA" and we resolve the bbox
• Per-practice passive recon with native fetch (no Playwright, low cold-start)
  • HEAD: HTTPS reachability + 5 security headers (HSTS, XFO, CSP, XCTO, Referrer-Policy)
  • GET: regex-detect tracking pixels (Facebook, GTM, GA, TikTok, LinkedIn Insight, Hotjar)
• HIPAA risk score (0-100) weighted by what HHS actually settles on:
  • Tracking pixels (PHI-to-third-party — see HHS 2024 guidance): 20 pts each, cap 60
  • Missing security headers: 5 pts each, cap 25
  • HTTP-only (§164.312(e)(1)): 25 pts
• Paste-ready outreach hook per row — under 240 chars, references the actual finding

Sample input

{
  "metro": "Atlanta, GA",
  "radius_km": 15,
  "specialties": ["dentist", "psychotherapist", "chiropractor"],
  "min_risk_score": 30,
  "max_results": 50
}

Sample output (one dataset row)

{
  "name": "Buckhead Family Dental",
  "specialty": "dentist",
  "address": "3200 Peachtree Rd NE, Atlanta, GA, 30326",
  "phone": "+1-404-555-0142",
  "website": "https://buckheadfamilydental.example",
  "latitude": 33.8412,
  "longitude": -84.3782,
  "has_https": true,
  "missing_headers": ["content-security-policy", "strict-transport-security"],
  "detected_pixels": ["facebook_pixel", "google_tag_manager"],
  "hipaa_risk_score": 65,
  "captured_at": "2026-04-29T18:00:00.000Z",
  "suggested_outreach_hook": "Hi — quick note for Buckhead Family Dental: ran a passive scan and noticed facebook pixel + google tag manager on your site (PHI leakage exposure). Happy to send the full dentist HIPAA web-hygiene report (free, no pitch). Reply HIPAA?"
}

Pricing

Pay-per-event (recommended on Apify):

Event	Price
Run start	$0.10
Per practice returned	$0.02
Monthly minimum	$4.99

A single metro scan returning 50 graded leads = $1.10 total. At ~$2-10K LTV per HIPAA remediation engagement, every conversion pays the entire annual subscription back ~1000×.

Alternative flat tier: $19.99/mo with 1,500 leads included (set as a separate subscription tier on apify.com).

Compared to existing Apify Actors

Actor	Discovery	Per-result recon	HIPAA-grade scoring	Outreach hook
Google Maps Scraper (apify/google-maps)	Yes (paid)	No	No	No
Website HTTPS Checker	No	Partial	No	No
Healthcare Practice Finder	Yes (free OSM)	Yes	Yes	Yes

Schedule

Recommended cron: weekly per metro (0 14 * * 1). OSM tag changes are slow; weekly captures most new practices opening up.

Source

The recon + scoring logic mirrors the passive web-audit pattern used by the TOUGH LOVE SECURITY outreach pipeline. Free for non-commercial inspection; commercial use is licensed via the Apify subscription.

Notes & limits

• OSM coverage of US healthcare practices is ~60-80% in major metros, lower in rural areas. Pair with a paid Maps Scraper Actor as a top-up if you need 100% coverage.
• Passive recon only — no port scans, no exploits, no auth attempts. Every check is what an unauthenticated public visitor would already see.
• Tracking-pixel detection is regex-only and runs against the homepage. Deeper pages may carry additional pixels not captured here; treat the score as a floor.