Review date: 04/23/2020
Doxy.me is a popular telemedicine platform use by doctors and therapists that bills itself as "simple, free, and secure." This program works through your web browser – like Firefox, Chrome, or Safari – rather than as an app you download to your smartphone or computer. This means keeping your browser updated is crucial to protecting your privacy while online with your doctor. The telemedicine app is free for patients. Health providers and clinics must pay for the service. One thing we found in our research that raised an eyebrow is the fact that providers are able to use the very weak password of '123' for their accounts. Weak passwords are never good, especially on sensitive video calls with your therapist.
What could happen if something goes wrong
We’re afraid a number of things could go wrong. Doxy.me doesn't require a strong password when health care professionals set up an account. And two-factor authentication is not an option, so accounts could easily be hacked. That means a bad person could pretend to be your doctor. Also, there is no requirement to prove you are the actual patient who is supposed to join the call, meaning doctors or therapists who don't have a previously established relationship with a patient might not know if the person who joins their virtual appointment is really who they say they are. Similarly, because the meeting starts when the provider admits the client from the waiting room (after typing their name) anyone who guesses potential patient names could be admitted, but it would only be one person at a time and the provider could end the call. This is all a bit frightening for a video call app targeted at doctors, therapists, and their potentially vulnerable patients.
What is required to sign up?
Third party account
Medical practitioners are required to sign in to Doxy.me using an email or with third-party Facebook or Google accounts. Patients and clients are not required to sign in at all and are unable to create an account.
What data does it collect?
How does it use this data?
How are your recordings handled?
Alerts when calls are being recorded?
Doxy.me does not allow video recording. Third party apps do exist that allow for recording potentially without notifying other users, however.
Does the platform say it is compliant with US medical privacy laws?
Doxy.me can be HIPAA compliant. Please check with your healthcare provider to make sure the version of Doxy.me they use meets all the requirements.
Links to privacy information
Can I control it?
Is it easy to learn and use the features?
Clients or patients don't have any controls other than "pin to main screen," "mute myself," "turn off camera" and "hide my preview." Practitioner controls are easy to find and explained at https://help.doxy.me
Does this product meet our Minimum Security Standards?
All calls on Doxy.me use end-to-end encryption.
Doxy.me recently updated their password requirement so that new users are required to sign up with a strong password. Only health providers are required to login to accounts using a password. Patients are not required to make accounts. Existing users were able to sign up with a weak password such as "123".
Doxy.me is accessed only through web browsers like Firefox, Chrome, and Safari. This puts the onus of security on the web browser. That means keeping your web browser updated so its security is always up-to-date is extremely important when using Doxy.me.
UPDATE 6/29.2020: Doxy.me has now added a bug bounty program