Telehealth platform Doxy.me said it is resolving an issue that gave three third-party companies access to the names of patients' providers, CyberScoop reported Dec. 10.
CyberScoop found that Doxy.me, which is used by more than 1 million providers worldwide, was sharing IP addresses and unique device identification numbers with Google, Facebook and marketing software company HubSpot.
When patients clicked the link to enter Doxy.me's virtual waiting room, they were often clicking a link that contained the name of their provider. CyberScoop's investigation found that Doxy.me took measures to remove provider names from the URLs it sent to third parties, but the third parties used technical loopholes to view the full URLs.
"Frankly, this human error got by us,” Alan Mark, Doxy.me's privacy officer, told CyberScoop after the publication notified the company of the issue. "When you notified us, we took immediate action to remove most of the links and will remove the remaining one by week’s end."
Dana Fioravanti, Doxy.me's communications manager, told CyberScoop the company encrypts patient-provider interactions and does not use tracking mechanisms during those visits. She also said the company does not store personal health information.