With a temporary lift in telehealth restrictions, many clinicians have also adopted Zoom as a tool for video visits. But the company’s privacy practices have recently come under fire, in a complaint filed by the Federal Trade Commission related to Zoom’s encryption claims.
The agency had filed a complaint against Zoom for claiming since 2016 that it had end-to-end encryption, when it allegedly had cryptographic keys that would allow it to access the content of customers’ meetings. End-to-end encryption means that only the parties involved in the conversation can see a message or video.
Zoom reportedly touted end-to-end AES 256 bit encryption in a HIPAA compliance guide for its healthcare products. But Zoom did not provide end-to-end encryption, and used a shorter encryption key, AES 128-bit encryption, according to the complaint. The company has marketed a healthcare version of its platform for several years.
The company also claimed that recorded meetings were stored encrypted in cloud storage, when the recordings were stored unencrypted for 60 days, according to the complaint.
Zoom agreed to improve its security practices in a in a tentative settlement it struck on Monday with the Federal Trade Commission. Two weeks prior, it announced it would offer 256-bit end-to-end encryption to all of its users. More recently, the company also touted new features for its healthcare users, including the ability to record Zoom sessions to the cloud, and to conduct voice calls or chats.
“The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” a company spokesperson wrote in an email. “We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC.”
There was no monetary penalty with the settlement, and Zoom is not required to issue refunds or notice to its paying customers, a concern that Commissioners Rohit Chopra and Rebecca Kelly Slaughter noted in their dissenting statements.
The company currently sells the healthcare version of its software, which it says is HIPAA compliant, to hospitals and physician practices. The cost starts at $200 per month.
Zoom claims that it does not have access to identifiable personal health information (PHI), and therefore does not fall under HIPAA requirements. HIPAA’s conduit exemption lets healthcare providers use certain entities without entering a business associate agreement, a contract that specifies how each party must treat personal health information. That said, Zoom also offers signed business associate agreements for its healthcare product, according to its website.
It’s not clear how many clinicians have picked up Zoom’s software since the start of the pandemic—and the company has not yet shared a number. But according to a survey conducted by Sermo, a significant portion of physicians reported turning to video conferencing tools like Zoom or Skype for remote treatment.
Photo credit: Epoxydude, Getty Images
This article has been updated with a statement from Zoom.