Are our personal health data well protected by Doctolib? The question is nagging and increasingly recurrent since the platform specializing in online medical appointments has become essential with the vaccination campaign against Covid-19.
To respond to criticism, the company assured in 2020 that users’ personal data was now end-to-end encrypted. “This technology makes it strictly impossible for any other person to access this data, including in support or maintenance operations”, guaranteed at the time the press release of Doctolib. A survey by Radio France, published on Friday May 20, shows however that the encryption of data is not total.
Doctolib has access to certain information in plain text
The public radio investigation unit carried out a test with the support of Benjamin Sonntag, co-founder of the association La Quadrature du Net. By connecting to Doctolib and accessing the code of the page, they noted that information concerning the user’s past and future medical appointments was always accessible “in the clear”, in an unencrypted manner.
« This means that Doctolib itself has this information in plain text”, explains Benjamin Sonntag to Radio France. Among this information: the surnames and first names of the patient, the date of the appointment, the name and specialty of the doctor consulted and even the reason for the consultation. The attachments exchanged between a patient and his doctor via the platform are well protected.
The data is also encrypted while in transit, and therefore cannot be viewed by third parties, even if intercepted. The Radio France test shows that it is Doctolib employees who have access to it, as “backup managers, system administrators, those who manage the network and servers”according to the details of Mr. Sonntag.
Risk of misuse
The platform has acknowledged with Radio France that“a very limited number of employees have access to medical appointments, at specific times and for specific reasons, within the framework of support functions”. According to Doctolib, “meeting data is not end-to-end encrypted” because it would prevent usefulness and proper functioning of the service”making it impossible, for example, to remind you of appointments by email or text message.
While this situation is not illegal, it creates the risk that a “ill-intentioned Doctolib employee misappropriates this data in a malicious way or transmits it to a third party (…) who could be an insurer or your employer”, informs Radio France the lawyer Alexandra Iteanu, specialist in data protection.
Doctolib has been criticized many times over the protection of data held by the platform. In 2021, several associations and unions of health professionals had filed an appeal with the Council of State concerning the partnership between the State and Doctolib forged to organize appointments within the framework of the vaccination campaign against Covid- 19.
The applicants then feared that the medical data of the French were not sufficiently protected, because Doctolib hosted its data at Amazon Web Services, one of the branches of the American e-commerce group. This company is subject to US law, which allows, under certain conditions, to request a lot of data from US entities providing services abroad.
Before the Council of State, there was a question of data encryption. One of the applicants had shown that certain data stored on Amazon’s servers were, at certain times, readable in clear and therefore technically accessible. The highest administrative court had however validated the partnership and ruled that the data encryption practiced by Doctolib was not problematic.