There is no security risk in exposing whatever identifiers.
While real security risk is lack of Authorization and Rights Management system, which have to decide which user has rights to see which page.
Roughly it should be a table where user id and appointment id are stored, and your site should check this table before displaying an appointment.