Doctolib: should we be afraid for the security of our medical data?

You must have heard of it. For good reason, it is difficult not to know the Doctolib medical platform, especially since it has become the manager of 90% of appointments in French vaccination centers. Indeed, the company signed an agreement in January 2021 with the French state to manage access to the appointment, alongside the Maiia and KelDoc platforms.

Result, 50 million registered in France, 5 million in Germany, and a private platform used by 25,000 general practitioners in France for making appointments, ie almost half of the country. With an appointment booking service offered at € 120 per month for doctors, and € 214 per month for vaccination centers, Doctolib has won a good deal since the start of the pandemic. To give you an idea, the 2,600 places open to vaccination in France by municipalities, hospitals or regional health agencies represent an envelope of € 500,000 per month for Doctolib.

Faced with this worrying hegemony of Doctolib, several health professionals, journalists and cybersecurity specialists have looked into the processing of medical data that the platform collects every day. Unsurprisingly, certain elements are of concern, start with the fact that Doctolib trusts the services of Amazon Web Service to manage this data.

Problem, the American giant is not subject to the GDPR of the European Union. In other words, nothing prevents the company from sharing this data with the American authorities at the request of Washington as provided for in the Foreign Intelligence Surveillance Act. On this subject, Doctolib assures that it has negotiated clauses with Amazon to prevent any data transfer.

Also read: Phishing: watch out for this fake Doctolib email!

The # COVID19 has been synonymous with profits for some companies specializing in health. But the intervention of companies like #Doctolib in the care pathways raises questions regarding the protection of our personal data. Investigation. https://t.co/Iv4edoMqdC

– Bastamag (@Bastamag) June 11, 2021

Broken end-to-end encryption and worrying Amazon usage

Only and as stated by Juliette Alibert, lawyer specializing in the defense of fundamental freedoms, “ Amazon will have no choice. It is subject to American law and must apply what it is ordered, if necessary in a confidential manner. The contractual guarantees do not legally stand up to these extra-territorial laws. And since Doctolib’s data is not really end-to-end encrypted, technically it is accessible to Amazon and to the American authorities ”.

Yes, we must add to that weaknesses in the end-to-end encryption highlighted by Doctolib on its site. While the platform ensures that patient personal data is only accessible to healthcare professionals, the Interhop association was able to access Doctolib data while it was stored on Amazon servers, clear.

In other words, anyone can access it, Doctolib teams like those at Amazon, the US government if the mood takes them, and our dear hacker friends. France Inter also highlighted these flaws in a recent article: ” We have carried out a test which consists in verifying if the data is encrypted when one connects to his account, and a request is sent to the Amazon server.

This process, which consists of reading the data as they appear in the server before being sent to the user when they connect to their account, showed that the data was already in clear at this level, therefore they were no longer encrypted ”. Faced with these multiple risks for the data of the French, InterHop, the Union of general medicine and the League of Human Rights have requested the termination of the contract between Doctolib and the Ministry of Health. Unfortunately without success … The Council of State decided otherwise.

Source: Bastamag