Is our personal medical data well protected by Doctolib? This issue is a pressing one and more and more recurring as a platform dedicated to online doctor appointments has become important in the Covid-19 vaccination campaign.
In response to criticism, the company assured in 2020 that users’ personal data is now end-to-end encryption. “This technology makes it absolutely impossible for any other person to access this data, including as part of support or maintenance operations.”, guaranteed at the time of the Doctolib press release. However, a Radio France survey published on Friday, May 20th shows that data encryption is not complete.
Doctolib has access to certain information in plain text
The Public Radio Investigation Unit carried out the test with the support of Benjamin Sonntag, co-founder of the association La Quadrature du Net. After connecting to Doctolib and accessing the page’s code, they noted that information about past and future visits to the doctor was always available “in the clear”, in unencrypted form.
” This means that Doctolib itself has this information in plain text.”, explains Benjamin Sonntag to Radio France. Among this information: the last name and first name of the patient, the date of admission, the name and specialty of the doctor who was consulted, and even the reason for the consultation. The attachments that the patient and his doctor exchange through the platform are well protected.
The data is also encrypted during transmission so third parties cannot view it even if intercepted. The Radio France test shows that Doctolib employees have access to it, because “Backup managers, system administrators, those who manage the network and servers”according to Mr. Sonntag.
Risk of misuse
The platform confirmed to Radio France that“A very limited number of staff have access to medical appointments at certain times and for certain reasons within support functions.” According to Doctolib, “meeting data is not end-to-end encrypted” because it would interfere usefulness and proper functioning of the service”making it impossible, for example, to remind you of appointments via email or text message.
While this situation is not illegal, it creates a risk that “a malicious Doctolib employee maliciously appropriates this data or passes it on to a third party (…) who can be an insurer or your employer”, informs Radio France lawyer Alexandra Iteanu, a data protection specialist.
Doctolib has been criticized many times for protecting the data stored on the platform. In 2021, several associations and unions of medical professionals filed an appeal with the Council of State over the partnership between the state and Doctolib created to organize meetings for the Covid-19 vaccination campaign.
The applicants then feared that the medical data of the French was not sufficiently protected, since Doctolib hosted its data on Amazon Web Services, one of the affiliates of the American e-commerce group. This company is subject to US law, which allows, under certain conditions, to request a large amount of data from US organizations providing services abroad.
Before the State Council was the question of data encryption. One of the applicants showed that certain data stored on Amazon’s servers could, at certain times, be readable in its purest form and therefore technically accessible. However, the Supreme Administrative Court confirmed the partnership and ruled that the data encryption used by Doctolib did not cause problems.