Laudator Dr. Thilo Weichert
the company Doctolib in Berlin
for their appointment scheduling portal for medical doctors.
The Doctolib portal processes data of many thousands of patients without regard to medical confidentiality.
For health professionals, especially doctors, and their patients, the offer is ingenious: The doctors enter into a contract with Doctolib, allow access to patient data and can then have appointments for treatments, consultations or vaccinations arranged via a website. And just like that, patients can book their appointments online. No more waiting in a telephone queue, no stressed personnel, Doctolib even reminds the patient of their appointment – and for all of this the practices pay only slightly more than 100 € a month. For the patients it is free of cost. And it gets better. Doctolib promises:
“For DOCTOLIB, data security and the confidentiality of user’s personal data is of the highest priority. Therefore DOCTOLIB is committed to complying to all German and European regulations on the protection of personal data. DOCTOLIB adheres to the rules of professional conduct issued by the respective chambers and associations for doctors and healthcare professionals.”
Well then, everything is just fine. On the surface.
In truth, doctors should become suspicious very soon, because when a doctor wants to use Doctolib for their practice, a company employee appears and asks for access to the complete patient data recorded in their information system.
And that is not all: After importing the patient list, the appointment schedules in the practice system and in Doctolib’s scheduling system have to synchronised at regular intervals.
That seems objectionable from the start. Nevertheless, practices do participate in this service. Most doctors do not understand the technical process adequately and rely on the expertise of Doctolib and their promise to respect patient confidentiality and data security.
As an additional service, Doctolib offers the patient a list of doctors nationwide as well as a video service for tele-consultations. Since the beginning of the Corona pandemic, Doctolib also arrange vaccination appointments for the French department of health as well as for the health authorities in Berlin.
And it really does work. Doctolib boasts a customer satisfaction rate of 97%. According to its own claims, 150.000 doctors and health professionals in France and Germany and 50 million patients use their service. Three different seals of quality affirm that everything is in order.
Lack of transparency
The devil is in the detail: Doctolib formally differentiates between processing on behalf of the health professional and Doctolib’s own responsibility for its web content. So far, so good and correct. But then Doctolib presumes to merge data that they have processed on behalf of a doctor in Doctolib’s own appointment scheduling database. For doctors and patients, and also for us, it remains unclear how these data will be further used.
Especially sensitive health data
It should be beyond dispute that medical appointments as well as metadata from video consultations are sensitive health data, which are under the special protection of the General Data Protection Regulation (GDPR). The patient’s trust in their doctor forbids that names, appointments, and treatments should fall into the hands of third parties or used for purposes other than treatment or consultation in the trusted practice. Legally, doctors are allowed to enter into processing contracts without requiring their patients’ consent. But this trust relationship would be violated in a punishable way if Doctolib accesses a doctor’s data on those patients who have not arranged any appointments nor have an account with Doctolib, and if those affected are not informed that the data was shared.
Advertising, tracking, analysis – who is responsible?
However strongly Doctolib professes to be committed to data protection and patient confidentiality, we have to question this promise after examining all the fine print.
For example, Google appears in the Doctolib cookie list with their Analytics and Adwords and Ads services. The stated purposes are tracking or tracing website usage. For Ads, the purpose is simply advertising. Once consent has been given to data utilisation for advertisements and opinion polls, this apparently means that each time an appointment is made the data is shared with, for example, Google. The same problem arises when social networks such as Twitter, Instagram, Facebook, LinkedIn, Medium and YouTube are integrated into Doctolib’s start page. What purpose this serves, why an appointment allocation page needs a YouTube button, is a question that Doctolib should seriously be asked. The respective cookie settings on offer are “accept all”. And Doctolib innocently explains that they are not responsible for the way these services handle data.
Here Doctolib is mistaken: The European Court of Justice recently decided in three independent cases that in such data processing the website provider, in this case Doctolib, shares resposibility. We say: commercial social media providers have no part to play in the doctor–patient relationship, especially not when they are seated in an unsafe third country such as the United States.
In Doctolib’s “user terms and conditions” of 2019, patients can read that by giving their consent, they release their doctors from professional confidentiality. The patients are not told why and what for, and we were not told either when we asked. It should be clear that such a release in the fine print is not valid.
In fact, the breach of confidentiality starts earlier and it has vast proportions: It is true that under a new legal regulation of 2017 doctors are explicitly allowed to use services like Doctolib. However, there is the prerequisite that the disclosed confidential patient data are truly necessary for the service. It is definitely not necessary for Doctolib to import a doctor’s full list of patients. It would be sufficient for the company’s appointment scheduling to have a list of available times from the doctor and then negotiate these with the doctor’s system.
As a service acting for a doctor and as its data processor, Doctolib is obligated to separate its clients. That means Doctolib is not permitted to merge patient data from different doctors. But that is exactly what the company appears to do. At the Chaos Computer Congress 2020 it was reported1 that a Doctolib database was leaked to the Chaos Computer Club. It was possible via the reported gap to access over 150 million scheduled appointments. These data presumably arose from synchronisation with appointment calendars from doctor’s practices and reached back to the year 19902. How the data were or still are processed, what Doctolib does with this collection and why outdated data has not been deleted remains the business secret of our awardee.
The allegedly awarded seals of quality do not relate to the GDPR, contrary to the company’s claims. What was given a seal here and why remains largely Doctolib’s secret. What is known is that Doctolib uses an Amazon cloud service certified in France – with European computers.3
What does Doctolib really do?
Our enquiries with the company about the millionfold downloading of patient data, client separation and much more remained unanswered.
Therefore we can only speculate about what goes on in the servers of AWS and Doctolib.
By the way, to speculate is what venture capitalists do as well. The company, established in 2013, was provided with 23 million € in 2016, a further 35 million € in 2017 and another 150 million € in 2019. Doctolib has now become one of the so-called Unicorns; that is a term for companies valued at over a billion € on the capital market.4
Whereas the global and European market for Internet user data is divided up between Facebook and Google, the market for health data has become a new playing field for IT companies and speculators. So far US companies could be largely kept out of this European market with reference to doctor’s confidentiality obligations. Doctolib is working on grabbing a large piece of this cake by professing a wholehearted commitment to this confidentiality, without really being oriented towards it.
The digitalisation of our health system is important, in order to improve public health care and maintain it at a high level. This must not happen at the expense of confidentiality between patients and health professionals. Since Doctolib subordinates this confidentiality to its drive for expansion, the company deserves the BigBrotherAward 2021 in the category Health.
Thilo Weichert has written a comprehensive report about Doctolib on behalf of Netzwerk Expertise, which was published on the day of the gala: https://www.netzwerk-datenschutzexpertise.de/sites/default/files/gut_2021_doctolib.pdf (German)
1 Video recording of the CCC talk: https://media.ccc.de/v/rc3-11342-tut_mal_kurz_weh_neues_aus_der_gesundheits-it (German – English interpretation might still be added – the section on Doctolib data starts at 1:00:00)
2 Wasner, Datenpanne bei Online-Terminbuchungsportal, 19./25 Jan 2021, https://www.medical-tribune.de/praxis-und-wirtschaft/praxismanagement/artikel/datenpanne-bei-online-terminbuchungsportal/; Datenlecks in deutschen Arztpraxen Massenhaft sensible Patientendaten waren für Unbefugte zugänglich, 30.12.2020, https://www.spiegel.de/netzwelt/web/arztpraxen-sensible-patientendaten-waren-fuer-unbefugte-zugaenglich-a-b786d37c-8dc5-4e03-b20d-a51bb9751264; https://media.ccc.de/v/rc3-11342-tut_mal_kurz_weh_neues_aus_der_gesundheits-it.
4 Haak, Doctolib wird zum Einhorn (Doctolib becomes a Unicorn), 20 Mar 2019, https://www.businessinsider.de/gruenderszene/health/doctolib-einhorn/.