ZocDoc Says Programming Error Resulted in Exposure of Patient Data

ZocDoc, a New York-based provider of a platform that allows prospective patients book appointments with doctors and dentists, has discovered a bug in its software that allowed patient data to be accessed by medical and dental practices when access should have been restricted.

The investigation revealed programming errors had occurred that meant from August 2020 until the errors were discovered and corrected, certain past and current practice staff members had access the provider portal, when their accounts should have been either decommissioned, deleted, or been limited. In all cases, the individuals who could have accessed patient data improperly were healthcare providers and are therefore bound to maintain the privacy and security of patient data. ZocDoc said there is no evidence to suggest there have been any further disclosures of patient data.

Patient data potentially accessed included names, email addresses, phone numbers, appointment histories with the practice, insurance information, Social Security numbers, and medical information provided by individuals in connection with appointments booked through the service.

ZocDoc said it performed a review of its software and code and the programming errors have been corrected. Security practices have now been strengthened, regular security audits will continue to be conducted, and steps have been taken to enhance those audits.

ZocDoc said approximately 7,600 individuals across the United States have been affected. As a precaution against identity theft and fraud, affected individuals have been offered a complimentary 12-month membership to the Experian IdentityWorks identity theft protection service.

Email Account Breaches Reported by Cincinnati Parenting Center

Beech Acres Parenting Center in Cincinnati has discovered email accounts containing client data have been accessed by an unauthorized individual. A digital forensics firm was engaged to assist with the investigation and determine the nature and full scope of the breach. The investigation revealed email accounts were accessed by an unauthorized individual between December 29, 2020 and March 18, 2021.

A review of the emails and attachments in the compromised accounts revealed they contained sensitive client information including names, dates of birth, client account numbers, dates of service, provider names, treatment, and clinical information and, for a subset of individuals, health insurance information, Social Security numbers, and/or driver’s license numbers.

Upon discovery of the breach, all email accounts were secured. Devices and systems are being reviewed and steps will be taken to improve security. The workforce will also be re-educated on identifying and avoiding suspicious emails.

Once the review has concluded, affected individuals will be notified by mail. Individuals whose Social Security or driver’s license number was potentially compromised will be offered complimentary credit monitoring and identity protection services. The breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.