#Doctolib #flaws #management #health #data
After being accused of poorly protecting the data of its users, the company Doctolib has publicly denied it.
Website Doctolib has revolutionized the medical system by making appointments so much easier. The French company now has more than 50 million users, and has an annual turnover of 150 to 200 millions of euros
However, this digitization of health weakens the personal medical data of the population.
If Doctolib has long claimed to preserve the information of its users, an investigation by Radio France claims that this would not necessarily be the case.
What does the survey reveal?
The case is based on a problem of coding. In 2020, Doctolib was pleased to use an encryption of “end to end”.
This computer data protection technique guarantees the user that only he and his doctor can access his health information.
However, this technique would not be used for all patient data.
According to France Info, the information regarding the appointment users (date, time, reason)it would not be “end-to-end” encrypted.
If an average person cannot access this data, a specialist explains that some employees From home Doctolib What “backup managers, system administrators, those who manage the network and servers” have access to it.
Doctolib’s answer
During its investigation, Radio France contacted Doctolib, who admitted that the quotes are not “end-to-end encrypted”, for reasons apparently techniques.
Why isn’t end-to-end encryption used for dating?\u2753
For a simple reason: to ensure the proper functioning of our services, such as sending SMS reminders. As far as we know, no service in Europe applies this method to appointments.
However, after the survey was published, Doctolib explicitly stated: “it’s false”before taking up the accusations point by point.
According to them, only a very limited number of personnel could occasionally have access to a user’s data.
But they claim that:“All entrances are granted, revoked, audited, controlled and respect a strict and centralized process”.
(3) These employees have temporary authorizations, withdrawn at the end of the resolution of the user’s problem. All access is granted, revoked, audited, controlled and respects a strict and centralized process (ISO 27001 certification).
What information is therefore true?
The information regarding the appointment patients would be accessible to a third party, but only on certain occasions.
(2) At the request of and under the supervision of a physician or patient, a limited number of specifically authorized employees must have access to a limited amount of information in order to provide assistance to our users.
Their health data Therefore, Doctolib must not be used or stored, unless an authorized employee breaks the rules.
Alexandra Iteanulawyer of the Paris Bar Association and specialist in data protection explains the same “Medical appointments are personal health data” and “They should be equally protected.”