Babylon Health admits GP app suffered a data breach

  • Published
Babylon HealthImage source, Babylon Health

Babylon Health has acknowledged that its GP video appointment app has suffered a data breach.

The firm was alerted to the problem after one of its users discovered he had been given access to dozens of video recordings of other patients' consultations.

A follow-up check by Babylon revealed a small number of further UK users could also see others' sessions.

The firm said it had since fixed the issue and notified regulators.

Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video call and, when appropriate, sends an electronic prescription to a nearby pharmacy. It has more than 2.3 million registered users in the UK.

Leeds-based Rory Glover had access to the service via his membership of a private health insurance plan with Bupa, one of Babylon's partners.

On Tuesday morning, when he went to check a prescription, he noticed he had about 50 videos in the Consultation Replays section of the app that did not belong to him.

Clicking on one revealed that the file contained footage of another person's appointment.

"I was shocked," he told the BBC.

"You don't expect to see anything like that when you're using a trusted app. It's shocking to see such a monumental error has been made."

Mr Glover said he alerted a work colleague to the fact, who used to work for Babylon. He in turn flagged the issue to the company's compliance department.

Image source, Rory Glover
Image caption,
Mr Glover discovered dozens of replay videos in his app that he should not have had access to

Shortly afterwards, Mr Glover's access to the clips was rescinded.

Babylon, which has its headquarters in London, has since confirmed the breach.

"On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient's consultation recording," it said in statement.

"Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients' consultations through a subsection of the user's profile within the Babylon app."

On Wednesday, the firm amended its statement to make clear that it meant two patients in addition to Mr Glover - who had in fact viewed a recording - to make the total of three.

"This was the result of a software error rather than a malicious attack," it continued.

"The problem was identified and resolved quickly.

"Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required."

A spokesman said that Babylon's engineering team was already aware of the issue before it was contacted by Mr Glover's workmate.

He said the problem had been accidentally introduced via a new feature that lets users switch from audio to video-based consultations part way through a call.

And he said that Babylon had informed the Information Commissioner's Office of the matter.

"Affected users were in the UK only and this did not impact our international operations," he added.

However, Mr Glover said he still had concerns and did not intend to use the service again.

"It's an issue of doctor-patient confidentiality," he said.

"You expect anything you say to be private, not for it to be shared with a stranger."

The Information Commissioner's Office has confirmed that it had been contacted by Babylon and that it was now waiting to receive the company's breach report.

"People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law," said a spokeswoman.

"When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects."

Babylon told the BBC it had already been in touch with everyone involved to inform them and apologise.