June 06, 2023
Data Loss: what can you do to prevent it? (Looking at the Doctolib Incident in May 2023)
You might have seen the news, Doctolib, the popular medical appointment booking platform, recently faced a major incident where thousands of sensitive medical consultation data was mistakenly deleted. This technical mishap, which occurred for a period of 18 hours, has affected several patients in France. Let us hope that there was no misuse of data, and it will be safely restored and given back to the hands of doctors and patients.
While Doctolib claims that the incident has been resolved and practitioners can now re-enter the affected information, the response from the company has received criticism for being inadequate and delayed. Thankfully, this incident was not a case of data leak or cyberattack, but it was attributed to a technical bug during the implementation of a new feature on the platform. Doctolib assures that the lost data did not fall into the wrong hands. However, the lack of timely reporting and transparency surrounding the incident has raised concerns among healthcare professionals and patients alike2.
As there is no official statement from the French Data Protection National Authority, the CNIL, it could potentially be a breach of Article 33 of the GDPR (notification of a personal data breach to the supervisory authority within 72h or with its Data Controller).
Patients who had consultations during the affected timeframe may have partially damaged their files. In such cases, it is up to the respective doctors to rectify the platform’s error. Unfortunately, there is no way for patients to determine on their own whether their data was impacted. For example, these records are vital for their therapy, especially for those who struggle with memory, have multiple diseases, or face mental health. Doctors rely on this data to check for comorbidities and prescribe previously tested drugs. Without access to this crucial information, a significant aspect of patient safety is compromised.
The recent issue with Doctolib accidentally deleting important medical data highlights why companies need to take better care of their data. It’s crucial that businesses, especially ones dealing with sensitive health information, have strong safety measures in place to prevent this kind of incidents. And, if a mishap does happen, they need to promptly inform the affected parties.
Now, we’re going to look at some solutions and best practices that companies can implement to keep their data safe and ready when needed. Once they adopt these measures, companies can enhance their data protection strategies and mitigate risks associated with data incidents.
- Data Backup: Regularly backup all critical data to ensure that in case of any accidental deletion or loss, there are reliable copies available for restoration.
- Robust Data Encryption: Implement strong encryption protocols to protect sensitive data from unauthorized access. Encryption should be applied during data transit and storage, using industry-standard algorithms and regular key updates. If you are interested in our end-to-end encryption solution, check out our page information: https://icure.com/developers/trust-and-data-privacy/.
- Regular Security Audits and Assessments: Conduct routine security audits, penetration testing, and vulnerability scans to identify and address system vulnerabilities promptly. Code reviews and ongoing monitoring ensure a proactive approach to security. To learn more about our commitment to security, explore our blog post on iCure’s ISO27001 certification: https://icure.com/blog/icure-ISO-27001:2013-certified/.
- Strict Access Controls: Limit access to sensitive data to authorized personnel. Implement strong authentication mechanisms, like multi-factor authentication, and regularly review and revoke access privileges to minimize the risk of unauthorized breaches. Think about third party access, where you use external providers and how well the access control is managed.
- Ongoing Security Monitoring: Implement robust security monitoring systems to detect and respond to abnormal activities or unauthorized access attempts promptly. Intrusion detection systems, log analysis, and real-time alerts ensure proactive threat detection. In iCure, we call it the “Hyperion monitor” in reference to the Greek Mythology.
- Incident Response Plan: Develop a comprehensive incident response plan that outlines procedures for identifying, reporting, and addressing security incidents. It will help the company to react quickly and in compliance with GDPR.
- Transparent Communication: Maintain open and transparent communication with affected parties in case of incidents. Promptly inform them about the situation, the steps being taken to address it, and any measures they need to take to mitigate potential risks.
By integrating these solutions, organizations can protect their data security practices and reduce such accidental data deletions as we saw in this unfortunate event that Doctolib experienced. Nowadays, having extensive data security and risk mitigation in place is essential to safeguarding user data and instilling trust in the digital age.