Babylon Health, makers of a smartphone app that allows Brits to have consultations with NHS doctors, has admitted that a “software error” resulted in some users being able to access other patients’ private video chats with GPs.
The data breach came to light after one user, Rory Glover, tweeted that he was shocked to find the app’s “GP at Hand” functionality had given him unauthorised access to “over 50 video recordings”:
“Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!”
Glover attached a screenshot, showing that it was possible to replay the medical consultations on his Android smartphone:
In a statement given to The Guardian, Babylon Health confirmed the breach, and said that only three patients booking appointments had been presented with other patients’ video recordings:
“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.”
“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”
“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”
A Babylon Health spokesperson separately claimed that the firm’s software engineering department was already aware of the issue before it was made aware of Glover’s discovery.
As the underlying problem was a software problem I did wonder how only three patients were given access to other patients’ video consultations via the app, or whether there was a particular sequence of conditions that had to be present for a user to gain access to the sensitive recordings.
No more details have been shared by Babylon Health about the nature of the software bug, other than to say that it has now been fixed, and that it was related to a newly-introduced featured that allowed users to switch from audio-only calls with a GP to video-based consultations part way through a call.
To make mistakes is human, and software developers are (mostly) human… so it’s not a surprise to hear that a complex app like this might have bugs. However, it underlines the importance of proper quality control and testing before an app – especially one like this which is used for communicating personal and sensitive medical information – is rolled out to the public.
The UK’s data regulator, the Information Commissioner’s Office (ICO), confirmed that it had been contacted about the incident, and underlined the importance of properly securing the public’s private medical information:
“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law. When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”
And I think that’s a very important point to make. Although the number of people affected by this particular data breach appears to have fortunately been small, health data has been given “special category” status, meaning that the highest levels of data protection should be in place.
And, as an incentive for any companies who might need convincing of the importance of properly securing medical data, very large financial penalties can be meted out by regulators if they determine an organisation was careless or did not take the threat seriously enough.
For his part, Glover said he would not be trusting the Bablyon Health app again, telling The Guardian:
“It’s an issue of doctor-patient confidentiality. You expect anything you say to be private, not for it to be shared with a stranger.”
Babylon Health, whose GP at Hand app has been the subject of some controversy in the past, intends to expand into the United States and Asia.