Doctolib does not fully encrypt data about its users, according to Radio France

Is our personal health data well protected by Doctolib? The question is annoying and more and more frequent since the platform for online medical appointments has become a necessity with the Covid-19 vaccination campaign.

To respond to criticism, the company confirmed in 2020 that users’ personal data is now End-to-end encrypted. “This technology makes it completely impossible for anyone else to access this data, including support or maintenance operations.”, guaranteed at the time of the Doctolib press release. A survey conducted by Radio France, published on Friday 20 May, showed that data encryption is not complete.

Decoding: This article is reserved for our subscribers Data Security, Dominant Site… Should We Be Afraid of Doctolib?

Doctolib has access to certain information in plain text

The test was conducted by the Public Radio Investigation Unit with the support of Benjamin Sontag, co-founder of La Quadrature du Net. By contacting Doctolib and accessing the page code, they note that information about the user’s past and future medical appointments is always accessible “in the clear” and in an unencrypted manner.

This means that Doctolib itself has this information in plain text”, explains Benjamin Sontag for Radio France. Among this information: the patient’s surnames and first name, the date of the appointment, the name and specialty of the doctor consulted and even the reason for the consultation. Attachments exchanged between patient and doctor via the platform are well protected.

The data is also encrypted during transmission and therefore cannot be viewed by third parties, even if it is intercepted. Radio France test shows that only Doctolib employees have access to it, as Backup managers, system administrators, and those who manage the network and serversAccording to Mr. Sontag details.

risk of misuse

The platform with Radio France has confirmed that“A very limited number of employees have access to medical appointments, at specific times and for specific reasons, within the support functions.” According to Doctolib, Meeting data is not end-to-end encrypted Because it will prevent Service benefit and smooth runningmaking it impossible, for example, to remind you of appointments by email or text message.

While this situation is illegal, it creates a risk that a “A Doctolib employee in bad faith embezzles this data in a malicious manner or transfers it to a third party (…) Who could be an insurance company or your business owner? Radio France informs lawyer Alexandra Itano, who specializes in data protection.

Investigation : This article is reserved for our subscribers Doctolib’s all-consuming ambitions

Doctolib has been criticized several times for protecting the data held by the platform. In 2021, several associations and unions of health professionals submitted an appeal to the State Council over the fraudulent partnership between the state and Doctolib to organize appointments under the Covid-19 vaccination campaign.

Then the applicants feared that the medical data of the French was not sufficiently protected, because Doctolib hosted its data in Amazon Web Services, a subsidiary of the US e-commerce group. This company is subject to United States law, which allows, under certain circumstances, to request a lot of data from US entities providing services abroad.

Before the State Council, there was the issue of data encryption. One applicant showed that some of the data stored on Amazon’s servers was, at certain times, clearly readable and therefore technically accessible. However, the partnership was upheld by the highest administrative court and ruled that the data encryption practiced by Doctolib was not a problem.

the world

Leave a Comment