Telehealth platform Doxy.me is fixing an issue that allowed three third-party firms to access the names of some patients’ providers, the company told CyberScoop after it notified Doxy.me of the problem.
The company, which self-reports as holding 30% of the growing U.S. telemedicine market and is currently used by over 1 million providers worldwide, appeared to also be sharing IP addresses and unique device identification numbers with Google, Facebook and the marketing software company HubSpot, privacy researcher Zach Edwards found after examining the platform.
The sensitive user data was accessible when patients clicked on a link to the platform’s “virtual waiting room” service, which connects patients with medical professionals. Providers can choose the name of their waiting room, which is often their name or the name of their medical practice. (In a sample observed by CyberScoop, the URL included the name of a provider.)
It appears that Doxy.me tried to take some measures to strip the doctor name from URLs sent to third parties, Edwards said, but the three companies used specific technical loopholes to access the full URL, which contained the doctor names. No patient health data was exposed.
“Frankly, this human error got by us,” said Alan Mark, privacy officer at Doxy.me, said in an email to CyberScoop. “When you notified us, we took immediate action to remove most of the links and will remove the remaining one by week’s end.”
Doxy.me is one of numerous telehealth platforms that exploded in popularity during the COVID-19 pandemic. Along with that rapid growth has come cybersecurity growing pains, including Doxy.me’s reliance in 2020 on weak password standards for health care providers, an issue that has since been resolved, according to researcher Misha Rykov from the Mozilla Foundation.
Doxy.me encrypts patient-provider sessions and no tracking mechanisms are used during sessions, Dana Fioravanti, Doxy.me communications manager, told CyberScoop in an email. The company does not store personal health information, she said.
Symptoms of a larger issue
The issue hints at larger questions about data protection in the telehealth industry.
Google and Facebook use metadata collected across the web to group individuals into “audiences.” In order to help advertising customers target audiences they are trying to reach, the companies use metadata collected across websites to form audience groups, also known as “lookalike” or “similar” audiences. A marketing customer can then use this tool to expand its own audience list.
Such data sharing could put users at risk of being invisibly grouped with other patients by Google and Facebook’s advertising platforms, potentially giving the companies’ algorithms data that could infer sensitive information about a patient’s condition. Advertisers could then target patients with ads tailored to those sensitive conditions.
For instance, some people in a group of users Facebook has created around the URL may actively engage in content related to the condition they’re being treated for, such as diabetes support Facebook groups. In such a case, while Facebook has not explicitly connected the name of the doctor from Doxy to their services, users connected to that URL will now be associated with users with an interest in diabetic content and could receive related ads from marketers themselves.
Both Facebook and Google have policies against collecting and using sensitive information like medical diagnoses.
However, it’s unlikely that the company’s filters to prevent this collection would catch a doctor’s name void of another context, Edwards says. That means unless the companies are going in and manually deleting the data, it will be ingested by their algorithms.
Disclosures in the data supply chain
For Doxy.me, working with third parties like Google and Facebook in order to optimize data analytics and marketing creates a set of risks separate from encrypting patient sessions or requiring strong passwords.
Regulators and lawmakers have signaled their intent to address the privacy risks of telehealth apps. The Federal Trade Commission in September adopted rules that would fine health apps for failing to notify consumers about sharing personal information without their permission.
“As soon as you start sharing data, networks, there are some things that are out of your control and much of the responsibility here is on the ad networks themselves,” said Rykov, of the Mozilla Foundation. “They operate like a black box, we don’t really know what their algorithm is doing and what they’re capable of.”
Google and HubSpot did not respond to requests for comment.
Facebook is conducting a closer inspection into what data has been shared, a spokesperson told CyberScoop.
“I think that there are far too few companies that appreciate that the data supply chain is adversarial,” said Edwards.
While those data points may not be as revealing as the name of a patient’s physician, it can, when combined, create a powerful data set that allows some of the world’s biggest advertising platforms to track users across the internet.
Justin Brookman, director of Consumer Privacy and Technology Policy for Consumer Reports told CyberScoop that the onus shouldn’t be on consumers to parse complex privacy policies.
“It’s a lot for any user to have to track down and figure out. That’s why there need to be legal protections, including for less identifiable, but still personal data, like IP addresses and device IDs,” he said.
“Google and Facebook have used tons of third party data to target ads to people that maybe they didn’t want or expect.”
Update, Dec. 13: This story was amended to clarify that no patient health data was exposed.