Telehealth app Doxy.me is fixing a patient health data leak
A report from Cyberscoop
Overview
Cyberscoop reports that after examining the Doxy.me platform, privacy researcher Zach Edwards discovered that the company appeared to be sharing IP addresses and unique device identification numbers with Google, Facebook, and the marketing software company HubSpot.
Why is this important to me?
Cyberscoop notes that users of Doxy.me may be inadvertently grouped with other patients by Google and Facebook's advertising platforms, possibly providing data to the firms' algorithms that might infer sensitive information about a patient's health. Advertisers could then target patients with adverts that were personalized to their specific ailments.
Among the third parties named in Doxy's privacy policy are Google Analytics, Facebook Ads, Google Ads, and HubSpot. According to the corporation, "use data" includes Internet Protocol address, browser type, browser version, and a mobile device's unique ID number.
The problem is that, when joined with other data, those bits may create a formidable data collection that allows some of the world's biggest advertising platforms to track individuals online.
What should I do about it?
It is noted in the CyberScoop article that, "In its privacy policy, Doxy acknowledges that it shares “usage data” with several third parties including Google Analytics, Facebook Ads, Google Ads and HubSpot. Per the company’s definition, “usage data” can include but is not limited to Internet Protocol address, browser type, browser version, and a mobile device’s unique ID number."
So while there was usage data exposed, it was not necessarily "leaked". If you are uncomfortable about that reach out to Doxy.me and confirm the status of the identity leak and have them confirm that your data is safe and has not been exposed beyond the definition of "usage data". Letting them know that you are a concerned patient/user is a good thing!
You can reach out to Doxy here: https://doxy.me/en/contact/