The letter confirmed that patient data stored in Zocdoc’s portal could have been accessed, including a patient’s name, email address, phone number, and the times and dates of their appointments, but also other data that may have been shared with the practice - such as insurance details, Social Security numbers and details of the patient’s medical history.īut Zocdoc said payment card numbers, radiological or diagnostic reports, and medical records were not taken, since it does not store this data.
Zocdoc, which lets prospective patients book appointments with doctors and dentists, said that it gives each medical or dental practice usernames and passwords for its staff to access appointments made through Zocdoc, but that “programming errors” - essentially a software bug in Zocdoc’s own systems - “allowed some past or current practice staff members to access the provider portal after their usernames and passwords were intended to be removed, deleted or otherwise limited.” Zocdoc confirmed that around 7,600 users across the U.S. The New York-based company revealed the issue in a letter to the California attorney general’s office, which requires companies with more than 500 residents of the state affected by a security lapse or breach to disclose the incident.
Zocdoc says it has fixed a bug that allowed current and former staff at doctor’s offices and dental practices to access patient data because their user accounts weren’t properly decommissioned.