The Scrapers At MyChart's Gate

The automation of user interfaces has become a cornerstone of modern digital workflows, a trend often described as turning UI screens into de facto APIs. Robotic Process Automation (RPA) combined with generative AI can mimic human interactions at scale, circumventing traditional safeguards such as CAPTCHAs or rate limits within minutes. This shift is reshaping how enterprises extract data from legacy systems, but it also erodes the distinction between authorized API calls and scripted UI actions. As a result, organizations must rethink security models that once relied on the perceived difficulty of UI scraping.

Fan Pier Labs’ newly released “mychart‑connector” illustrates the power—and risk—of this approach in the healthcare sector. The open‑source tool logs into Epic’s MyChart portal using patient credentials, automatically solves two‑factor authentication via TOTP, and exposes more than thirty‑five functions that can read or write medication lists, lab results, messages, appointments, billing and insurance data. Unlike the regulated FHIR‑based APIs or TEFCA Individual Access Services, which are read‑only and limited to USCDI elements, this connector can perform any action a patient can perform in the UI, effectively creating an unrestricted backdoor.

The emergence of such unrestricted UI‑driven connectors forces health‑tech vendors and regulators to confront a new attack surface. Traditional bot‑detection mechanisms struggle against AI‑generated scripts that can adapt within hours, prompting a need for behavioral analytics, device fingerprinting, and zero‑trust access controls that verify intent rather than just credentials. Providers may also need to reconsider patient‑authored data policies and enforce stricter consent frameworks under HIPAA and emerging state privacy laws. As RPA continues to blur the line between legitimate automation and malicious scraping, the industry must invest in resilient, API‑first architectures to safeguard sensitive health information.