Zocdoc says ‘programming errors’ exposed access to patients’ data

Zocdoc says it has fixed a bug that allowed current and former staff at doctor’s offices and dental practices to access patient data because their user accounts weren’t properly decommissioned.

The New York-based company revealed the issue in a letter to the California attorney general’s office, which requires companies with more than 500 residents of the state affected by a security lapse or breach to disclose the incident. Zocdoc confirmed that around 7,600 users across the U.S. are impacted by the security incident.

Zocdoc, which lets prospective patients book appointments with doctors and dentists, said that it gives each medical or dental practice usernames and passwords for its staff to access appointments made through Zocdoc, but that “programming errors” — essentially a software bug in Zocdoc’s own systems — “allowed some past or current practice staff members to access the provider portal after their usernames and passwords were intended to be removed, deleted or otherwise limited.”

The letter confirmed that patient data stored in Zocdoc’s portal could have been accessed, including a patient’s name, email address, phone number, and the times and dates of their appointments, but also other data that may have been shared with the practice — such as insurance details, Social Security numbers and details of the patient’s medical history.

But Zocdoc said payment card numbers, radiological or diagnostic reports, and medical records were not taken, since it does not store this data.

In an email, Zocdoc spokesperson Sandra Glading said that the company discovered the bug in August 2020, but “due to the complexity of the code, it took a significant amount of investigation to determine which, if any, practices and users were affected and how.” The company said it provided notice to the California’s attorney general’s office “as soon as was practicable.”

Zocdoc said it has “detailed logs that can detect exploitation of any data, including any potential exploitation of this vulnerability,” and that after a review of those logs and other investigative work, “we have no indication, at this time, that any personal information was misused in any way.”

Around 6 million users access Zocdoc a month, the company said.

If this incident sounds vaguely familiar, it’s because this was a near-identical security issue to one Zocdoc reported in 2016. A letter filed at the time cited similar “programming errors” that allowed staff at medical providers to improperly access patient data.