Zocdoc Notifies Patients of Breach Discovered in June 2015

This week, Zocdoc – an online medical booking system – notified the California Attorney General’s office of a breach of personal information that was first identified almost a year ago.

Programming errors were discovered in June 2015., that allowed past and present practice staff members to gain access to their Provider Dashboard’s after their usernames had been removed from the system or their access had otherwise been limited. The usernames had been provided to medical and dental practices that had signed up to use the Zocdoc appointment system.

Patients affected by the data breach have now been sent notification letters advising them that their name, phone number, email address, appointment history, and in some cases Social Security number, could have been accessed by staff members at each practice that were unauthorized to view the information. Health insurance information and medical histories could also have potentially been accessed if patients had provided that information via Zocdoc when making appointments.

According to the breach notice, “Access may have occurred between [first access date] to [last access date].” Patients will have been notified of the duration that their personal information was accessible. Databreaches.net reports that the metadata of the document indicate the first access date was June 5, 2011, although this has not been confirmed by Zocdoc.

As soon as the programming errors were discovered an investigation was launched and action was taken to correct the issue and prevent access after users’ authorization had been changed. Former users whose accounts have been removed or deleted can no longer access the system.

All individuals whose information may have been inappropriately accessed have been offered complimentary identity protection services for a period of 12 months. Those services were provided “out of an abundance of caution” to protect against identity theft, although Zocdoc has no reason to believe that any patient information has been used inappropriately.

Zocdoc points out that the individuals who may have accessed the system were medical professionals and practice staff members who “had obligations regarding the secure and confidential handling of personal information.”

In response to the breach, Zocdoc has taken action to prevent similar incidents from occurring in the future. Additionally, Zocdoc’s system security will be regularly audited and action will be taken to enhance security.

While it would appear that patients have not been placed at a particularly high risk of harm as a result of the error, it is unclear why it took so long for breach notifications to be issued.  Under California Civil Code s. 1798.29(e) and 1798.82(f), disclosures of personal information should be reported to the Attorney General’s office “in the most expedient time possible and without unreasonable delay.” At the time of publication, the breach has not appeared on the Office for Civil Rights Breach Notification portal.

Zocdoc requires patients to sign an authorization before using the service in which they give their permission for Zocdoc to disclose their PHI to healthcare providers and other entities detailed in the authorization.

The authorization form says “when Zocdoc relies on this Authorization, and uses and discloses PHI as described in this Authorization, it is not working as a Business Associate and the HIPAA requirements that apply to Business Associates will not apply to such uses and disclosures.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.