A privacy flaw in the Babylon Health GP app gave one user access to the recordings of dozens of other patients’ video consultations.
The data breach came to light after a user tipped off the BBC. Babylon claims the flaw affected only a small number of users, that only one accessed another’s recording and that it resolved the issue within two hours of becoming aware of it.
But the incident is likely to damage trust in a fledgling technology that has already rustled feathers in the medical community. Rory Glover, the patient who discovered the breach, was able to access about 50 recorded video sessions belonging to other users.
“You don’t expect to see anything like that when you’re using a trusted app,” he told the BBC. “It’s shocking to see such a monumental error has been made.”
Medical data is among the most sensitive forms of personal data and Babylon, which said it became aware of the issue only an hour before it received a complaint from a user, has notified the Information Commissioner’s Office.
Jake Moore, a cyber security specialist at ESET, said: “Although Babylon Health state they take security issues seriously, it highlights once more how extra careful organisations have to be with private and confidential data.
“It doesn’t get much more sensitive than this level of information, so extra protection must be provided to respect and protect their patients and their information.
“In the wrong hands we could have seen a more malicious outcome, so luckily this was stopped. What is worrying is how they came about the incident, stumbling upon it.”
Babylon has 2.3 million users in the UK, one of whom is the health secretary Matt Hancock who has drawn criticism for lending his support to the company. But the firm has provoked controversy for triggering a £26m funding gap for one health group and allegedly “creaming off a particular part of the public who, in terms of their health needs, are the least demanding”.
Asked to comment on the breach, a Babylon spokesperson told NS Tech: “On the afternoon of Tuesday 9th June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording. Our investigation showed that two other patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon App.
“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”