Improper Patient Data Access ZocDoc

It was recently reported that the protected health information of 7,600 patients was exposed due to software programming errors. ZocDoc, a company that enables patients to self-schedule medical appointments through their online booking software, discovered a bug in their software that allowed improper access to patient data. More information on the improper patient data access is discussed.

What Was the Programming Error Causing the Improper Patient Data Access?

In August 2020, ZocDoc discovered a programming error that allowed users, who were supposed to have revoked or limited access to their software, to regain full access.  ZocDoc released a statement regarding the issue, stating that the error “allowed some past or current practice staff members to access the provider portal after their usernames and passwords were intended to be removed, deleted or otherwise limited.”

As a result of this programming error, individuals that should not have been able to access patient data had the potential to access it. Although ZocDoc boasts six million users, the number of patients potentially affected by improper patient data access was limited to 7,600 patients.

Protected health information potentially accessed in the incident included names, email addresses, phone numbers, appointment histories with the practice, insurance information, Social Security numbers, and medical information provided by the patient.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

How Has ZocDoc Addressed the Problem?

Upon discovering the programming error, ZocDoc launched an investigation to determine how the error occurred, and how many patients were potentially affected as a result. ZocDoc has since fixed the coding error, and revoked portal access to the affected usernames.

Sandra Glading, ZocDoc spokesperson, stated that the bug was discovered in August 2020, but “due to the complexity of the code, it took a significant amount of investigation to determine which, if any, practices and users were affected and how.” 

She furthered that ZocDoc has “detailed logs that can detect exploitation of any data, including any potential exploitation of this vulnerability.” After reviewing the logs they, “have no indication, at this time, that any personal information was misused in any way.”

ZocDoc has since corrected the programming error, and revoked access for the accounts in question. However, although ZocDoc has addressed the current programming errors, this is not the first time that something like this has occurred. In June 2015, ZocDoc reported a similar programming error that allowed improper patient data access. This indicates that this kind of breach can easily reoccur in the near future, and therefore, users must be vigilant in monitoring their accounts.

ZocDoc has also notified patients potentially affected by the incident via mail. They are offering these individuals complementary identity monitoring services, in which patients have until September 30, 2021 to enroll in.