some medical data is not fully protected

some medical data is not fully protected

“After two years of work with Tanker, a cutting-edge French technology company specializing in data security (…), Doctolib today announces the implementation of end-to-end encryption for the personal health data of its users. .” In June 2020, just after the first containment, Doctolib published a press release to announce the implementation of end-to-end encryption (end-to-end encryption in English) of the medical data of its users. Which means, in theory, that only patients and their doctors can access it. Doctolib’s press release also stated: “This technology makes it strictly impossible for any other person to access this data, including in support or maintenance operations.”

Two years later, while Doctolib played a central role in vaccinating French people against Covid-19, Radio France’s investigation unit carried out a test which shows that the platform does not encrypt all the user data. She therefore has access to certain confidential information, contrary to what the company claims. This test is quite simple to perform. We connected via our computer to our Doctolib account, by entering our email address and password. We then have access to all our past and future medical appointments. Then we used a debugger to inspect the code of the page we have in front of us, the back room of sorts. “We can thus see the exchanges between Doctolib and your computer”explains the developer Benjamin Sonntag, co-founder of the association La Quadrature du Net, who performs this test alongside us. “What we discover is a document called appointments.json*”he continues.

Screenshot showing the storage of information relating to appointments made on Dotolib.  (RADIOFRANCE INVESTIGATION UNIT)

By clicking on the link in blue we arrive at a tree structure which gives access to all our upcoming medical appointments. Past appointments are accessible in the same way.

Screenshot of the tree structure showing appointments confirmed on Doctolib.  (RADIO FRANCE INVESTIGATION UNIT)

And by clicking on 0, 1, 2, 3, 4, we see the details of our next appointments: name and surname of the patient, date and time of the appointment, name and specialty of the doctor and even the reason for the consultation.

Screenshots showing the information in plain text and therefore visible to Doctolib.  (RADIO FRANCE INVESTIGATION UNIT)

“We received from Doctolib the data in clear on your next appointments. We did not receive them encryptedexplains Benjamin Sonntag. So that means that Doctolib itself has this information in the clear.” However, these medical appointments are significant and provide information on a person’s state of health. “If you regularly go to an oncologist or a psychologist, that says something about your state of health”continues Benjamin Sonntag.

A reassuring element, this data is encrypted when it is in transit, that is to say when it circulates between Doctolib and our internet browser. No one can intercept them along the way. But at Doctolib, employees do have access to the details of our medical appointments. “Typically it is the backup managers, system administrators, those who manage the network and the servers who can have access to this information”, explains Benjamin Sonntag. When questioned, Doctolib actually acknowledges in a detailed email that “Appointment data is not end-to-end encrypted (…) This advanced technology, still not very widespread (…) cannot be applied to all the data processed without major impact for users”continues the company.

What would that impact be? “Our code must be able to access certain information related to appointments to guarantee the usefulness and proper functioning of the service.answers Doctolib in his email. Concretely, if the appointment data were end-to-end encrypted, the appointment reminder service by SMS or e-mail could not exist today. According to Doctolib, “a very limited number of employees have access to medical appointments, at specific times and for specific reasons, as part of support functions”. That is, when a doctor or patient encounters a bug on the site or application.

Doctolib also specifies that the attachments exchanged between a patient and his doctor (report of analyses, x-rays, scanners, prescriptions, etc.) and teleconsultation flows are encrypted from end to end. No third party has access to it. The test we carried out with Benjamin Sonntag confirms this. “Medical appointments are personal health data in the same way as attachments exchanged**”believes however Alexandra Iteanu, lawyer at the Paris bar, specialist in data protection. “They should be protected in the same way.”

However, Doctolib does not break the law by not encrypting end-to-end all the medical data it has in its possession. “The GDPR (European regulation on the protection of personal data, editor’s note) does not make end-to-end encryption mandatory. It simply encourages it by saying that all technical and organizational measures must be put in place to protect this data”, says the lawyer. Still, Doctolib demonstrates “lack of transparency”estimates Alexandra Iteanu because it communicates on an end-to-end encryption which is not “not implemented in practice”. At least not completely.

The risk for the user is not only theoretical. “Security breaches often come from inside companies“, explains Alexandra Iteanu. “We are not immune to an ill-intentioned Doctolib employee misusing this data in a malicious way or transmitting it to a third partysays the lawyer. A third party who could be an insurer or your employer. But this data could also be resold on the Internet”. However, health data is sold at a golden price on the dark web. Outside intrusions are also possible, as seen in July 2020. Information about 6,128 appointments had been illegally accessed by malicious hackers. Doctolib had filed a complaint.

The company has long been ambiguous about its encryption of medical data. In an internal document (in English) dating from September 2019 that we obtained, it is written: “It’s not strictly speaking end-to-end encryption, but it can be in terms of communication.”

Doctolib internal document: "It's not end-to-end encryption per se, but it can be in terms of communication."2019. (INVESTIGATION UNIT OF RADIO FRANCE)

Asked about this document, Doctolib says: “We have always been clear and transparent when it comes to encryption.”

*JSON (JavaScript Object Notation) is a lightweight language for exchanging textual data between a server and a web browser. For computers, this format is easily generated and analyzed (source Journal du Net).

**In a decision dated March 12, 2021, the Council of State ruled that appointments made on Doctolib to be vaccinated against Covid-19 were not health data. But this decision only concerned vaccination appointments and not all medical appointments made on Doctolib.

Go further :

>> Doctolib: success story or danger for the world of health?
>> How Doctolib uses our health data
>> Tele-consultation: a French giant on the front line