Telehealth provider Call-On-Doc, Inc., dba Call-On-Doc.com, advertises that it has 2 million active patients and treats 150+ medical conditions. It claims to be the most highly rated telehealth service, and it assures patients of “state-of-the-art” data security for their information. But if a post on a hacking forum is accurate, Call-On-Doc recently had a breach that may have affected more than one million patients.
According to a sales listing on a hacking forum, Call-On-Doc was breached in early December, and 1,144,223 patient records were exfiltrated. The types of information reportedly included:
Patient Code, Transaction Number, Patient Name, Patient Address, Patient City, Patient State, Patient Zip, Patient Country, Patient Phone Number, Patient Email Address, Medical Category, Medical Condition, Service / Prescription, Paid Amount
Three screenshots with rows of dozens of patients’ information were included in the listing. An additional .txt file with information on 1,000 patients was also included.
Inspection of the screenshots immediately raised concerns about the sensitive information they revealed. Although some appointments were visits for conditions such as strep infections or other medical conditions, a number of patient records were for the “STD” category (sexually transmitted disease), with the specific type of STD listed in the “Condition” field.
Is Call-On-Doc HIPAA-Regulated?
Call-On-Doc does not accept insurance. It is a self-pay model, and no health insurance information or Social Security Numbers were included in the data. Because it is self-pay, DataBreaches is unsure whether Call-On-Doc is a HIPAA-regulated entity. If it uses electronic transmission for other covered transactions, it might be. But even if it is not a HIPAA-regulated entity, it would still be regulated by state laws and the Federal Trade Commission (FTC).
When HIPAA does not apply, the FTC can investigate and take enforcement action for violations of the FTC Act if there are deceptive or “unfair practices,” such as promising excellent data security for health data or patient information, but failing to deliver it.
A check of Call-On-Doc’s website reveals the following statement in its FAQ:
Q: Is my payment and medical information safe with Call-On-Doc?
A: Absolutely! Call-On-Doc employs state-of-the-art security measures, including our proprietary Electronic Health Record (EHR) system, and is fully HIPAA compliant.
According to the threat actor, they found no evidence of any encryption, and the entity did not detect the attack while it was in progress. HIPAA does not actually mandate encryption, but what “state-of-the-art” security measures did Call-On-Doc use to provide the kind of protection that protected health information (PHI) requires? And have they implemented any changes or additional protections since being alerted to the alleged breach?
Given that patients from many states may be involved, this might be a situation in which multiple state attorneys general collaborate to investigate a breach and an entity’s risk assessment, security, and incident response, including notification obligations.
Notification Obligations and Regulatory Questions
DataBreaches emailed Call-On-Doc’s privacy@ email address on Thursday to ask if it had confirmed any breach. There was no reply.
DataBreaches emailed its support@ email address on Friday. There was no reply.
If these are real data, there are several questions regulators may investigate.
According to the individual who posted the listing and shared additional details with DataBreaches in private communication, the breach occurred in early December. They contacted Call-On-Doc on December 25 to alert them to the breach and to try to negotiate a payment to avoid leaking or selling it. “They contacted me from an unofficial email address. I provided all the evidence and details, but then they stopped responding—basically ignoring me,” the person told DataBreaches.
Regardless of which federal or state agencies may have jurisdiction, if these are real patient data, Call-On-Doc also has a duty to notify patients and regulators promptly. While some regulations or statutes require “without unreasonable delay,” HIPAA has a “no later than 60 calendar days from discovery” deadline, and 19 states have notification deadlines of 30 days. As of publication, DataBreaches cannot find any substitute notice, media notice, website notice, or notification to any state attorneys general or federal regulators.
DataBreaches reminds readers that Call-On-Doc has not confirmed the claims. Even though the patient data appears likely to be real, AI has advanced to the point where threat actors can create datasets that appear legitimate. DataBreaches does not think that is the case here, but can’t rule out that possibility without contacting patients, which this site tries to avoid to spare patients any embarrassment or anxiety. For a small random sample from the 1,000 records file that DataBreaches checked via Google searches, most patients are still at the addresses listed in the 1,000-patient sample. Others could be verified as having lived at the listed addresses in the recent past.
One other detail suggests the data are real: the seller is accepting escrow for the sale, which is usually an indicator that the listing is not a scam.
This post may be updated when Call-On-Doc responds or more information becomes available.
If you were or are a Call-On-Doc patient and have heard from Call-On-Doc about a breach, we’d like to hear from you.