some medical data is not fully protected

“After two years of working with Tanker, a leading French technology company specializing in data security (…), today Doctolib announces the introduction of end-to-end encryption for the personal health data of its users.” In June 2020, immediately after the first containment, Doctolib published a press release announcing the implementation of end-to-end encryption (end-to-end encryption in English) medical data of its users. In theory, this means that only patients and their doctors have access to it. The Doctolib press release also says: “This technology makes it absolutely impossible for any other person to access this data, including as part of support or maintenance operations.”

Two years later, when Doctolib played a central role in vaccinating French people against Covid-19, Radio France’s investigative department conducted a test that showed that the platform did not encrypt all user data. Thus, she has access to certain sensitive information, contrary to the company’s claims. This test is pretty easy to perform. We connected through our computer to our Doctolib account by entering our email address and password. We then have access to all of our past and future medical appointments. We then used the debugger to inspect the code of the page in front of us, sort of a back room. “This way we can see the exchanges between Doctolib and your computer”explains developer Benjamin Sonntag, co-founder of La Quadrature du Net, who runs this test with us. “What we discover is a document called the meeting. json *”he continues.

Screenshot showing the storage of information about meetings made on Dotolib.  (RADIO FRANCE INVESTIGATION GROUP)

Clicking on the link highlighted in blue takes us to a tree structure that gives access to all of our upcoming medical appointments. Past meetings are available in the same way.

Screenshot of the tree structure showing appointments confirmed in Doctolib.  (RADIO FRANCE)

And by clicking on 0, 1, 2, 3, 4, we see the details of our next appointment: the patient’s first and last name, the date and time of the appointment, the name and specialty of the doctor, and even the reason for the consultation.

Screenshots showing information in plain text and therefore visible to Doctolib.  (RADIO FRANCE)

“We have received plaintext from Doctolib about your next meetings. We didn’t receive them encrypted.Benjamin Sonntag explains. So this means that Doctolib itself has this information in the clear.” However, these medical appointments are significant and provide information about the state of human health. “If you regularly visit an oncologist or a psychologist, this says something about your well-being”continues Benjamin Sonntag.

The encouraging element is that this data is encrypted while it is in transit, i.e. when it circulates between Doctolib and our internet browser. No one can intercept them along the way. But at Doctolib, employees have access to the details of our medical appointments. “Usually these are backup managers, system administrators, those who manage the network and servers that can access this information.”, explains Benjamin Sonntag. In answer to the question, Doctolib actually acknowledges in a detailed email that “Meeting data is not end-to-end encrypted (…) This advanced technology, not yet very widespread (…), cannot be applied to all processed data without serious consequences for users”the company continues.

What will this impact be? “Our code needs to have access to certain appointment-related information to ensure the service is useful and functioning properly.Doctolib answers in his email. Specifically, if meeting data were end-to-end encrypted, the meeting reminder service via SMS or email would not exist today. According to Doctolib, “a very limited number of employees have access to medical appointments at certain times and for certain reasons within support functions”. That is, when a doctor or patient encounters an error on a website or application.

Doctolib also indicates that attachments exchanged between a patient and his doctor (test reports, x-rays, scanners, prescriptions, etc.) and teleconsultation streams are encrypted throughout. No third parties have access to it. The test we ran with Benjamin Sonntag confirms this. “Doctor appointments are personal health data, just like sharing attachments**”however, believes Alexandra Iteanu, a lawyer at the Paris Bar Association, a data protection specialist. “They should be protected in the same way.”

However, Doctolib is not breaking the law by not end-to-end encrypting all the medical data it has. “GDPR (European Data Protection Regulation, editor’s note) does not make end-to-end encryption mandatory. He simply encourages him, saying that all technical and organizational measures must be taken to protect this data.”says the lawyer. However, Doctolib demonstrates “lack of transparency”appreciates Alexander Iteanu because he uses end-to-end encryption, which is not “not implemented in practice”. At least not completely.

The risk to the user is not only theoretical. “Security breaches often come from within companies“, – explains Alexandra Iteanu. “We are not immune from the malicious use of this data by a malicious Doctolib employee or its transfer to a third party.says the lawyer. A third party who may be an insurer or your employer. But this data can also be resold online.”. However, health data is sold at a gold price on the dark web. External intrusions are also possible, as was the case in July 2020. Attackers illegally gained access to information about 6128 meetings. Doctolib filed a complaint.

The company has long been ambivalent about encrypting medical data. In an internal document we received (in English) from September 2019, it says: “Strictly speaking, it’s not end-to-end encryption, but it could be in terms of communications.”

Doctolib internal document:

When asked about this document, Doctolib answers: “We’ve always been clear and transparent when it comes to encryption.”

*JSON (JavaScript Object Notation) is a simplified language for exchanging text data between a server and a web browser. For computers, this format is easily generated and parsed (source Journal du Net).

** In a decision dated March 12, 2021, the Council of State ruled that Covid-19 vaccination appointments made on Doctolib are not health data. But this decision only applied to vaccination appointments, and not to all medical appointments made on Doktolib.

Move on :

>> Doctolib: a success story or danger to the healthcare world?
>> How Doctolib uses our health data
>> Teleconsultation: French giant at the forefront