Glyph/Regular/Lock closed Created with Sketch.

Our security team detected and stopped a malicious action against Doctolib targeting administrative appointment information

1 - Update on the situation

What happened

On Tuesday 21st of July, our security team detected and stopped a malicious action against Doctolib, which allowed illegal access to some administrative information of 6,128 appointments. 

The administrative information concerned is as follows: the patient's first name, surname, gender, telephone number and email address, as well as the appointment date, name and specialty of the healthcare professional concerned by the appointment.

It is important to note that : 

- this illegal access does not concern appointments booked on Doctolib website or app nor through Doctolib practice management software, but appointments booked on some third party software solutions connected to Doctolib;
- no medical data could be read: no medical visit motive, no medical document, no information related to the patient's health record was concerned;
- no password could be read;
- to date, there is no evidence that this administrative information has been used in any way;
- there has been no modification of this administrative information.

What we have done

As soon as we detected this malicious action, we very quickly:

- identified its source;
- stopped this malicious action;
- informed the competent authorities, in particular the Commission Nationale de l'Informatique et des Libertés (CNIL), our supervisory authority when it comes to data protection;
- filed a complaint with the police;
- contacted the practices and facilities concerned and exchanged regularly with them as part of our security procedures.

Our commitment to protecting personal data

The information that affects our health is personal. Privacy is a fundamental right and one of Doctolib core values. This is why we are committed to protecting the personal data of our users according to 3 leading principles:

1. Patients have full control of their personal health data
2. We do not use patients' personal health data
3. Patient's personal health data is secure

In line with these principles, we wanted to communicate in full transparency on this malicious action we were victim of.

2 - Questions and Answers

I am a patient

I have already made an appointment on Doctolib: does this affect my information?

No, this incident does not concern appointments booked on Doctolib website or app nor through Doctolib practice management software.

Has anyone been able to access my medical data?

No, no medical data could be read: no medical visit motive, no medical document, no information relating to a patient's medical record was involved. 

Do I have to change my password and/or reconfigure my access to Doctolib?

No, no password could be read and no one other than you could and can now access your account.

What use was made of the administrative information targeted by this malicious action?

To date, we have no reason to believe that this administrative information is being used in any way whatsoever.

Could some of my administrative information have been concerned?

We are in contact with the practitioners and healthcare facilities concerned, in order to help them identify the impacted patients. 


I am a health professional

Has anyone had access to my Doctolib software?

No, this incident does not concern appointments booked on Doctolib website or app nor through Doctolib practice management software.

Has anyone been able to access my patients' medical data?

No, no medical data could be read: no medical visit motive appointment, no medical documents, no information relating to the patient's medical file, no passwords were involved. 

Was my practice or hospital involved in this malicious action?

We are in contact with the practices and facilities concerned.

If you are not contacted, your information is not affected.