Patient appointment booking service notifying patients of potential breach

Zocdoc, an online booking system for dental or medical appointments, is first notifying patients almost one year after they learned programming errors enabled providers to access patient information they should not have had access to.

In June, 2015, Zocdoc reportedly learned that a programming error had

allowed some past or current practice staff members to access the Provider Dashboard, and therefore potentially view your personal information, after their usernames were removed, deleted or otherwise limited.

Although the notification does not state exactly when the problem began, the metadata for the report to the California Attorney General’s Office puts the date at June 5, 2011.

There is no explanation as to why it took from June, 2015 until May, 2016 to notify those affected. Nor does the letter signed by Anna Elwood, VP of Operations, indicate whether HHS was notified of this breach.

Zocdoc states that the types of personal information that may have been accessed includes

name, email address, phone number, [“social security number, ”] appointment history (times and dates of your appointments) with that practice, and if previously provided to that practice by you via Zocdoc, additional information such as insurance member ID and other medical history.

As Zocdoc notes, those providers and their staff members who may have inappropriately viewed or accessed patient information, “had obligations regarding the secure and confidential handling of personal information.”

Those notified are being offered complimentary services with Experian ProtectMyID. contacted Zocdoc via email to ask how many patients are being notified and whether they are notifying every patient going back to June, 2011, or only those where logs show their info was accessed.  They were also asked whether  HHS been notified of this breach and why it took Zocdoc  from June, 2015 until now to notify those affected.

Other than a cheery automated response, received no response by the time of this publication. This post will be updated if Zocdoc finds there’s “an opportunity to work together.” 🙂

About the author: Dissent

Has one comment to “Patient appointment booking service notifying patients of potential breach”

You can leave a reply or Trackback this post.
  1. Jordana Ari - May 17, 2016

    Sounds more like stone cold silent response .i could be wrong but it doesn’t sound like any response is coming. .at least anytime soon l

Comments are closed.