Personal data on Doctolib would not be fully encrypted.
France Inter's investigation unit affirms that, contrary to what the medical platform announces, it does not encrypt all user data.
“After working for two years with Tanker, a cutting-edge French technology company specializing in data security (…), Doctolib today announces the implementation of end-to-end encryption for the personal health data of its users. “, However, assured Doctolib in June 2020 in a press release.
In other words, only patients and their doctors could have access to personal data.
Something to reassure the many users.
The data visible in the code of the page
However, according to public radio, all we had to do was connect to a Doctolib account, by entering an email address and password, to find that "the details of our next appointments: patient's first and last name, date and time of the appointment, name and specialty of the doctor and even the reason for the consultation”, were visible by inspecting the code of the page.
What it is possible to do with any browser.
“We received clear data from Doctolib on your next appointments.
We did not receive them encrypted, explains Benjamin Sonntag, co-founder of the association La Quadrature du Net, which carried out the test alongside France Inter.
So this means that Doctolib itself has this information in the clear”.
Doctolib confirms
These data are well encrypted when they pass between the Doctolib servers and our browser.
"No one can intercept them along the way," says France Inter.
But Doctolib staff who maintain the platform can have access to this information.
Doctolib confirms that "meeting data is not end-to-end encrypted", but explains that this system is necessary to "guarantee the usefulness and proper functioning of the service".
“A very limited number of employees have access to medical appointments (…) as part of support functions”, explains the platform.
Health
Leak of medical data: 1.5 million euros fine for the software publisher Dedalus
high tech
Android: Google would use the data of your messages and calls without your authorization
Health
high tech
Personal data
Cybersecurity
Private life