Doxy.me leak exposes provider data to third parties

A CyberScoop report found that Google, Facebook and HubSpot were able to access some user data through Doxy.me's virtual waiting room, although no patient health information was compromised.
By Kat Jercich
02:35 PM

Photo: Steve Debenport/Getty Images

A CyberScoop report published on Friday found that the telehealth provider Doxy.me had allowed third parties to access data about providers via its virtual waiting room.  

According to reporter Tonya Riley, the company appeared to be sharing the URLs of public waiting rooms with Google, Facebook and the marketing vendor HubSpot.

An issue, as Riley explained, is that providers choose the names of their waiting rooms – and they often include their name or the name of their practice. 

In other words, that information was also potentially being shared via the URL with third parties.  

No patient health data was exposed.  

"Doxy.me was notified that certain third-party URLs used on its main website were also enabled when a user enters a virtual waiting room. Data sent to those third-parties were basic browser details (version, operating system, etc.) and, in some cases, the public virtual waiting room URL (that is self-chosen by each provider during the Doxy.me account registration process)," explained Doxy.me representatives in a statement to Healthcare IT News.   

"Once an encrypted audio/video session began, there were no embedded third-party URLs," they added.  

Although Riley reported that the data included IP addresses and unique device identification numbers, Doxy.me said only basic browser details were collected, such as screen size and device type, "so that the audio-video communication operates optimally."  

WHY IT MATTERS  

As telehealth has grown in popularity, experts have reiterated the need to safeguard privacy and security.  

In this case, user browser details were being collected for a recent marketing campaign that has since ended, said Doxy.me representatives. After the CyberScoop report, Doxy.me says it removed all third-party URLs from the virtual waiting room.   

The company is in the process of removing all data collected from those third parties.  

"As there is no need to continue sending browser information, we have removed the ability for these third-party websites to track the performance of our marketing campaigns," Doxy.me representatives said.  

The company reiterated that it neither collects nor stores patient health information.  

THE LARGER TREND  

Doxy.me has promoted its simplicity as key to its security, with founder Brandon Welch telling Healthcare IT News in June 2020 that it can rely on browser encryption rather than relying on patients to download a separate app.

But its rollout faced some hurdles early in the COVID-19 pandemic, with multifactor authentication – an important defense feature – not an initial requirement for providers.   

ON THE RECORD  

"Doxy.me regrets having those third-party URLs in the virtual waiting room entry page," said company representatives.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.