Zocdoc Doesn’t Offer Two-Factor Authentication For Your Medical Info

Most social networking sites do it. Why won't those with your medical information?

Illustration: R. A. Di Ieso
Feb 09, 2017 at 2:31 PM ET

Update, March 6, 2017: DocASAP has since given users the option to use two-factor authentication for both each new login and forgotten passwords.

The internet’s most popular sites to connect patients with doctors neglect a basic security measure, a Vocativ analysis has found.

Three of the most popular such services, including Zocdoc, which is used by six million users a month, don’t use two-factor authentication to protect user accounts. That means that if a hacker gains access to a user’s email account, they can easily reset the user’s site password and have free reign to explore whatever medical history that user has given that site.

Of the four sites Vocativ signed up for to test, Zocdoc,, and, three of didn’t offer two-factor authentication.

Two-factor authentication has long been standard for many of the internet’s most popular social sites, and cybersecurity experts strongly encourage its use. The idea is simple: Don’t just rely on one password to uniquely identify yourself to access your account, but instead offer a second means to confirm your identity. The most common method to enable two-factor authentication is for a site — say, Twitter — to associate your phone number with your account, so that if you try to change your password, you can only do so if you can also provide a code texted to that number. In that scenario, if a hacker breaks into your email, they would need to also have access to your cell phone to also break into your Twitter account.

Without two-factor authentication, however, anyone who accesses your email account faces little resistance to your Zocdoc information. A hacker would merely click “Forgot your password” to compel Zocdoc to email them a means to reset your Zocdoc password., offers something resembling two-factor authentication. To reset your password on that site, you need to provide the user’s birthday. But that’s nearly worthless. A person’s birthday is one of her most public forms of information — available everywhere from public records sites to, in many cases, a user’s Facebook page — meaning this measure would largely deter only the laziest or stupidest hackers.

“For any company that is handling sensitive information such as patient health information, implementing two-factor for authentication for users as an extra layer of security should be an absolute no-brainer,” Jessy Irwin, Vice President of Privacy and Security at Mercury Public Affairs and a frequent speaker on cybersecurity issues, told Vocativ. “This is not a new idea, and it has been proven many, many times over to help stop account takeover.”

When Vocativ requested comment, Zocdoc responded: “We don’t share our security product roadmap due to the potential risk it poses,” a representative said.

All four sites are created to connect users to doctors and medical facilities, meaning that weak security exposes their users’ medical history. But of them, only Zocdoc and DocASAP actually store customers’ insurance records. Zocdoc in particular stores a large amount of users’ personal information, including race, ethnicity, and past doctor’s appointments, sometimes with the specific reason for the visit — which can fetch a decent price on online black markets, Irwin said.

“Given that medical records go for anywhere between $500 and $900 each on dark web criminal markets, any company that isn’t taking measures to implement two-factor authentication (or two-step verification) has quite a bit of explaining to do,” she said.

Related Video