Zocdoc programming bug allowed unauthorized access to patient data

New York-based Zocdoc, an appointment-booking portal, last week submitted a notice informing the California Office of the Attorney General of a programming error that had allowed unauthorized access to its patient data.

The company was required to disclose security lapses per California law. The bug, discovered in August, allowed health provider clients, whose usernames and passwords were intended to be removed, continued access to Zocdoc’s portal.

Data that could have been accessed included patient names, email addresses, phone numbers, appointment histories, social security numbers, insurance member ID numbers and medical histories. Roughly 7,600 users’ data was affected.

The time lapse in reporting was due to the complexity of the code, which took a significant amount of investigation to determine which practices and users were affected and how, a Zocdoc spokeswoman said, adding that the company provided the notice “as soon as was practicable.”

The spokeswoman emphasized that any individuals who could have had unauthorized access to the data were staff of Zocdoc health provider clients and, as such, governed by privacy and security obligations under the Health Insurance Portability and Accountability Act, or HIPAA.

“We do not believe that any misuse or unauthorized access to unsecured personal information has occurred or that any Zocdoc systems were compromised,” she said.

Zocdoc has since implemented fixes, including disabling any affected provider account credentials, repairing the code, adding security measures to monitor for unauthorized logins and auditing its system security, the spokeswoman said.

Zocdoc had reported a similar incident in 2016, according to records from the attorney general’s office.

Around 6 million users access Zocdoc each month, and the company said its revenue grew 35% in 2020 from the previous year.