Doctolib: Are there any disadvantages in managing your health data?

Following allegations of poor data protection for its users, Doctolib has publicly denied this.

Web site Doctolib revolutionized the medical system by making it easier to make an appointment. The French company currently has over 50 million users and has an annual turnover from 150 to 200 million euros.

However, this health digitization weakens the personal medical data of the population.

If Doctolib has long claimed to retain its users’ information, a Radio France investigation confirms that this is not necessarily the case.

What does the survey show?

The case is based on the problem coding. In 2020, Doctolib happily used encryption “End to End”.

This method of protecting computer data guarantees the user that only he and his doctor can access their data. health information.

However, this method will not be used for all these patients.

According to France Info, information about meeting users (date, time, reason)will not be end-to-end encrypted.

If the average person cannot access this data, the specialist explains that some employees from home Doctolib as “backup managers, system administrators, those who manage the network and servers” have access to it.

Doktolib’s answer

During the course of the investigation, Radio France contacted Doktolib, who admitted that the meetings were not “end-to-end encrypted” for obvious reasons. technology.

Why are meetings not end-to-end encryptedu2753

For a simple reason: to ensure the proper functioning of our services, such as sending SMS reminders. To our knowledge, no service in Europe applies this method to meetings.

— Doctolib (@doctolib) May 20, 2022

However, after the survey was published, Doctolib explicitly stated: “it is not right”before proceeding with the accusations point by point.

According to them, only a very limited number of employees could access user data from time to time.

But they state that:“All Access granted, withdrawn, checked, controlled and follow a rigorous and centralized process.”

(3) These employees have temporary authorizations that are revoked when the user’s problem is resolved. All access is granted, revoked, verified, controlled and followed by a rigorous and centralized process (ISO 27001 certified).

— Doctolib (@doctolib) May 20, 2022

Which information is therefore correct?

Information about meeting patients will indeed be available to a third party, but only in certain cases.

(2) At the request of a medical practitioner or patient and under their supervision, a limited number of specially authorized employees should have access to a limited amount of information in order to be able to provide assistance to our users.

— Doctolib (@doctolib) May 20, 2022

Your health data Therefore, Doctolib should not be used or stored unless an authorized person violates the rules.

Alexandra Iteanulawyer at the Paris Bar Association and data protection specialist explains all the same “Medical prescriptions are personal health data” and “should be equally protected.”