Zocdoc admits exposure of access to patients’ data — for the second time!

Service provider Zocdoc says the company had a bug that allowed current and former staff at doctor’s offices and dental practices to access patient data despite their user accounts being decommissioned.

The New York-based company revealed the issue in a letter to the California attorney general’s office, which requires companies with more than 500 residents of the state affected by a security lapse or breach to disclose the incident. Zocdoc confirmed that around 7,600 users across the U.S. are impacted by the security incident.

Zocdoc, which lets prospective patients book appointments with doctors and dentists, said that it gives each medical or dental practice usernames and passwords for its staff to access appointments made through Zocdoc, but that programming errors allowed some past or current practice staff members to access the provider portal after their usernames and passwords were intended to be removed, deleted or otherwise limited.

The letter confirmed that patient data stored in Zocdoc’s portal could have been accessed, including a patient’s name, email address, phone number, and the times and dates of their appointments, but also other data that may have been shared with the practice — such as insurance details, Social Security numbers and details of the patient’s medical history.

Zocdoc, however, claims that payment card numbers, radiological or diagnostic reports, and medical records were not taken, because it does not store this data.

The company discovered the bug in August 2020, and it took close to a year before they provided notice to the California’s attorney general’s office.

It is estimated that approximately 6 million users access Zocdoc every month.

Zocdoc experienced an identical security issue that it reported to the attorney general’s office in 2016. A letter filed at the time cited similar “programming errors” that allowed staff at medical providers to improperly access patient data.