case 'DELETE':
        // Delete patient (admin only)
        if (!isAdminRequest()) {
            sendJsonResponse(["success" => false, "message" => "Unauthorized"]);
        }

        $id = intval($_GET['id'] ?? 0);
        if ($id <= 0) {
            sendJsonResponse(["success" => false, "message" => "Invalid patient ID"]);
        }

        try {
            $stmt = $conn->prepare("DELETE FROM patients WHERE id = ?");
            $ok = $stmt->execute([$id]);
            if ($ok) {
                sendJsonResponse(["success" => true, "message" => "Patient deleted successfully"]);
            } else {
                sendJsonResponse(["success" => false, "message" => "Failed to delete patient"]);
            }
        } catch (Exception $e) {
            error_log('patients.php delete error: ' . $e->getMessage());
            sendJsonResponse(["success" => false, "message" => "Server error: " . $e->getMessage()]);
        }
        break;