Patient appointment booking service notifying patients of potential breach
Zocdoc, an online booking system for dental or medical appointments, is first notifying patients almost one year after they learned programming errors enabled providers to access patient information they should not have had access to.
In June, 2015, Zocdoc reportedly learned that a programming error had
allowed some past or current practice staff members to access the Provider Dashboard, and therefore potentially view your personal information, after their usernames were removed, deleted or otherwise limited.
Although the notification does not state exactly when the problem began, the metadata for the report to the California Attorney General’s Office puts the date at June 5, 2011.
There is no explanation as to why it took from June, 2015 until May, 2016 to notify those affected. Nor does the letter signed by Anna Elwood, VP of Operations, indicate whether HHS was notified of this breach.
Zocdoc states that the types of personal information that may have been accessed includes
name, email address, phone number, [“social security number, ”] appointment history (times and dates of your appointments) with that practice, and if previously provided to that practice by you via Zocdoc, additional information such as insurance member ID and other medical history.
As Zocdoc notes, those providers and their staff members who may have inappropriately viewed or accessed patient information, “had obligations regarding the secure and confidential handling of personal information.”
Those notified are being offered complimentary services with Experian ProtectMyID.
DataBreaches.net contacted Zocdoc via email to ask how many patients are being notified and whether they are notifying every patient going back to June, 2011, or only those where logs show their info was accessed. They were also asked whether HHS been notified of this breach and why it took Zocdoc from June, 2015 until now to notify those affected.
Other than a cheery automated response, DataBreaches.net received no response by the time of this publication. This post will be updated if Zocdoc finds there’s “an opportunity to work together.” 🙂
Has one comment to “Patient appointment booking service notifying patients of potential breach”
Jordana Ari - May 17, 2016
Sounds more like stone cold silent response .i could be wrong but it doesn’t sound like any response is coming. .at least anytime soon l