Doctolib employees have access to your personal data

News hardware Doctolib employees have access to your personal data

Published on 05/20/2022 at 19:05

Since the start of Covid-19 and even long before, Doctolib has been used by millions of people who enter their (very) personal information every day. It would seem that all is not rosy and that user data is being used without their knowledge.

Unencrypted data on Doctolib

Doctolib is by far the number 1 site in France for making and managing medical appointments. It is possible to choose from many practitioners, and avoid the hassle of calling them all one by one to find out if a slot is available.

Necessarily, health is an area that involves a lot of very sensitive information, and we wonder if the data that we enter into the site are really protected and not used for commercial purposes.

Doctolib ensures that all data of people using the site is end-to-end encrypted. The data is useful for running a site like Doctolib. The principle of encrypted data is that they are authorized to navigate between the stakeholders (here the client and the practitioner), but they are not intercepted by the host site (here Doctolib), which is content to circulate them.

However, a recent investigation by Radio France affirms the opposite. Indeed, after a fairly simple inspection of the source code of a user account page, you don’t need to be a computer expert to understand that the company and its employees do indeed have access to appointment scheduling information.

A lack of precision in Doctolib’s communication

Concretely, Doctolib does nothing illegal. The problem in this story is that Doctolib claimed that all of the data never passed through their employees, which it does not.

According to the law on the RGPD, Doctolib does not have the right to use this data without the explicit agreement of the user. The company ensures that this information is not sold to anyone, and that it is used to inform patients of their appointments via a reminder by SMS or email, and to allow the date of appointments to be changed. Very few employees would have access to it.

This explanation makes sense, but we can’t help but have some doubts, especially when such personal information is at stake.

During the peak of the epidemic, Doctolib was of great help in enabling French people to be vaccinated effectively. After a fundraising of 500 million euros, the company became the biggest start-up in terms of capital with a total of 5.1 billion euros.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.