Potential Patient Privacy Issue


#1

Hi Team,

In trying to understand the Google Analytics tracking, looking at the pages visited on our website and the online booking forms with Cliniko, I may have spotted a potential privacy issue with Bookings and the confirmation page - maybe need you to confirm.

At the moment, if I went through my browser history, I’d be able to pick up the URL (which includes a unique appointment token) visited when having the appointment confirmed back to me. On that page are the date, time, treatment type and location of an appointment. Whilst those data points don’t allow you to identify a person, if you already know who owns the device, you can start to put the pieces together.

See the example below… (it’s a dummy appointment I created)

If anyone uses a computer after the person who booked the appointment, they could get all the information they need about the type of appointment - which could potentially be a sensitive appointment type and then be able to know all about that person’s appointment. This is true even if you don’t click ‘remember me’.

As you can imagine, this is a cause for concern, and would look forward to a swift response.


#2

Hi @doddy550, even though the confirmation page doesn’t contain the patient’s name or any identifiable information – I can see how using a public or shared device for online booking could display sensitive information (i.e. Appointment Type). I’ve brought this up with my team to see what changes we could implement so that the confirmation or browser history no longer contains general appointment details.


#3

I’m not a security expert by any stretch of the imagination, but perhaps a session cookie would be good here? Drop the cookie when they start the form, kill it when either; a timer expires or after the confirmation page is loaded - there’re no further click-throughs on the Cliniko domain after the confirmation page, that would be hindered by killing a session cookie.


#4

Sorry for piling in further on this @rachel. It’s probably worth calling out that this is possible cross-device too. i.e. If I have a copy of that URL (like I do in Google Analytics), I also am able to view the appointment information from an entirely different device.


#5

No worries @doddy550. Our team is discussing some updates for this currently :raised_hands:. The plan is similar to what you mentioned. So after some time, that URL will no longer be viewable/usable – so the confirmation details will no longer be listed (regardless of what device you attempt to view it on as well).


#6

Thanks very much Rachel, much appreciated!


#7

Good news! This change has now been released: Browser History change for Online Booking Confirmation Page


#8

Thanks @rachel. Such a swift turn atound! Nice work!