The time lapse in reporting was due to the complexity of the code, which took a significant amount of investigation to determine which practices and users were affected and how, a Zocdoc spokeswoman said, adding that the company provided the notice “as soon as was practicable.”
The spokeswoman emphasized that any individuals who could have had unauthorized access to the data were staff of Zocdoc health provider clients and, as such, governed by privacy and security obligations under the Health Insurance Portability and Accountability Act, or HIPAA.
“We do not believe that any misuse or unauthorized access to unsecured personal information has occurred or that any Zocdoc systems were compromised,” she said.
Zocdoc has since implemented fixes, including disabling any affected provider account credentials, repairing the code, adding security measures to monitor for unauthorized logins and auditing its system security, the spokeswoman said.
Zocdoc had reported a similar incident in 2016, according to records from the attorney general’s office.
Around 6 million users access Zocdoc each month, and the company said its revenue grew 35% in 2020 from the previous year.