How do insurance denial appeals work?

Upload your denial letter and Lysco analyzes it, identifies the denial reason, cites applicable laws (ACA, ERISA, state regulations), and generates a customized appeal letter. You review and submit it yourself.

What is the success rate for insurance appeals?

It varies by plan type. For ACA marketplace plans, about 44% of appealed denials are overturned (KFF, 2023). For Medicare Advantage, it can be as high as 83% (HHS OIG). Many denials stem from billing or administrative errors that get fixed when challenged. Individual results vary.

Is Lysco a law firm or medical practice?

No. Lysco is an informational tool that helps you understand your rights and options. It is not a law firm, medical practice, or insurance company. For specific legal or medical situations, consult a licensed professional.

How much does Lysco cost?

Analysis is always free and your first appeal letter is free too. Upgrade to Pro ($29/mo) or Annual ($199/year) for unlimited appeal letters, insurer playbooks, and benefits finder. Cancel anytime.

Is my health data secure on Lysco?

Yes. Lysco uses AES-256 encryption at rest, TLS for data in transit, and row-level security so only you can access your data. We never sell your data and follow HIPAA-aligned security practices.

Security & Privacy

Your health data needs strong protection

Lysco handles sensitive health information. Here is how we protect your data.

AES-256-GCM

Encryption

TLS 1.3

Transport

Row-Level

Access Control

6 Years

Data Retention

PHI Types Detected

Injection Patterns

SOC 2 Type II

Hosting

Versioned

Key Rotation

AES-256-GCM Encryption

Field-level encryption with key rotation

All data is encrypted at rest using AES-256-GCM with NIST-standard initialization vectors. Sensitive fields like medical records use additional field-level encryption with versioned keys that support rotation without re-encrypting existing data. Data in transit is protected by TLS 1.3.

Row-Level Security

Database-enforced user isolation

Every database query is scoped to your authenticated user ID using Supabase Row-Level Security (RLS) policies. Even if an application bug occurred, the database itself prevents cross-user data access. Your data is isolated at the infrastructure level — not just the application level.

No Routine Human Access

Automated document processing by default

Your uploaded documents — denial letters, medical bills, prescriptions — are processed automatically by AI systems. Employee access is restricted, audited, and only available through controlled security workflows when required. Documents are stored in encrypted private buckets accessible through authenticated sessions.

HIPAA-Aligned Controls

Access logging, minimum necessary, audit trails

Every access to protected health information (PHI) is logged with who accessed it, when, and why. We enforce minimum-necessary data exposure — each API endpoint only retrieves the fields it needs. Break-the-glass emergency access requires time-limited tokens with mandatory justification.

PHI Detection & Redaction

9 sensitive data types automatically flagged

Our automated PHI detection system scans for Social Security numbers, dates of birth, member IDs, medical record numbers, phone numbers, email addresses, credit cards, and more — with validation (e.g., Luhn check for cards) to prevent false positives. Detected PHI is redacted from logs and analytics.

Input Sanitization

Zod schemas + injection prevention

All user input is validated with strict Zod schemas before processing. File uploads are checked against an allowlist of safe MIME types and size limits. Text inputs are sanitized with 13 regex patterns to block prompt injection, CRLF injection, and role-override attempts before reaching any AI model.

Infrastructure Security

SOC 2 hosting, US data centers

Hosted on Vercel (SOC 2 Type II) with Supabase (SOC 2 Type II, HIPAA eligible) for database. All infrastructure runs in US-based data centers. Secrets are managed via environment variables — no credentials stored in code. Health checks monitor database, AI, payments, and cache continuously.

Multi-Strategy Rate Limiting

Sliding window, token bucket, burst control

Three rate limiting algorithms protect every endpoint: sliding window for general traffic, token bucket for AI burst control, and leaky bucket for sustained load. Limits scale with your subscription tier. Authentication endpoints are limited to 5 attempts per 5 minutes.

AI Safety & Verification

Hallucination detection, self-verification layer

Every AI analysis runs through a self-verification pass that checks legal citations via web search, validates deadlines against applicable law, and flags inconsistencies. AI outputs are designed to include disclaimers stating they are not legal or medical advice. Professional referral thresholds trigger automatically for ERISA plans and claims over $5,000.

Our commitments to you

We never sell your data

Your health information is never sold or shared with advertisers.

You can delete your data

Request full data deletion anytime from settings.

We log all access

Access to your data is logged with an audit trail.

AI outputs are not training data

Your documents are not used to train models.

Clear limitations

Lysco is informational only, not a law firm or medical practice.

Emergency access controls

Emergency access requires strict approval and logging.

Privacy summary

We never sell your personal or health data to anyone.

Your uploaded documents are encrypted and stored securely in isolated storage.

Document analysis happens in-memory and is not used to train models.

We log access to your data for security auditing only.

You can export or delete all your data at any time.

We use industry-standard authentication with secure session management.

All API endpoints are authenticated and rate-limited.

Prompt injection and role-override attempts are detected and blocked.

File uploads are validated against an allowlist of safe types and size limits.

Have a security concern or want to report an issue?

security@lysco.com

We aim to acknowledge reports within 48 hours.