Zocdoc says programming errors led to patient information exposure

The bug allowed providers to access the scheduling vendor's system after their usernames and passwords were intended to be limited.
By Kat Jercich
12:28 PM

[Note: This piece has been updated to include comments from Zocdoc.]

The medical scheduling site Zocdoc published a letter this week describing a programming error that allowed patient information to be exposed to providers in an unauthorized manner.  

As Zocdoc explained, the bugs allowed practice staff members to access the vendor's system after their login information was intended to be limited.  

"Based on our investigation, we do not believe that any misuse or unauthorized access to unsecured personal information has occurred, or that any Zocdoc systems were compromised," said Zocdoc representatives in an email to Healthcare IT News after publication.

"Out of an abundance of caution, and out of respect for and our continued commitment to compliance with all regulatory requirements, we are notifying affected individuals and practices of this issue," they added.

WHY IT MATTERS  

As Zocdoc explained in its letter, each practice registered with Zocdoc receives usernames that allow staff members to access its Provider Portal.   

There, providers can view appointments and other information furnished by patients when booking.  

"Beginning in August 2020, we learned of programming errors that allowed some past or current practice staff members to access the Provider Portal after their usernames and passwords were intended to be removed, deleted or otherwise limited," read the letter.  

The company noted that the practices have their own obligations to maintain patient security and confidentiality.  

Any personal information would include name, email address, phone number and appointment history, as well as insurance member ID, social security number and any relevant medical history provided to the practice via Zocdoc.   

The information would not have included credit card numbers, debit card or PINs, bank account information, radiological or diagnostic reports or any medical records.  

"These were not vulnerabilities exploitable by any third parties; rather, this incident is specific to the access rights of our provider client accounts," said Zocdoc representatives.

Zocdoc noted that it launched an internal investigation to repair the errors and that it is offering a year of identity theft protection through Experian IdentityWorks for affected patients.  

According to TechCrunch's Zach Whittaker, about 7,600 users across the United States were affected. Whittaker also notes that Zocdoc reported a similar incident in 2016.  

"We repaired these errors, and the affected usernames can no longer access our system," said the vendor.

THE LARGER TREND  

Although the highest-profile patient-information breaches of late have involved ransomware, human error has also led to some major missteps.

Early this month, for example, an employee of the Wyoming health department accidentally uploaded the COVID-19, influenza and blood alcohol test results for more than a quarter of the state's population to a public-facing website.  

Three years ago, a Blue Cross employee uploaded a file containing member information to a website where it remained visible to the public for three months.  

ON THE RECORD  

"We have … strengthened our security practices and are taking appropriate steps to prevent an incident like this from recurring," said Zocdoc in the letter. "We will continue to regularly audit our system security and take action to enhance it."

 

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.