In an a unfortunate incident, video consultants of some patients using the Babylon Health app were leaked to other users of the app. It couldn’t be a worse time for an incident like this to take place, given all the panic surrounding the COVID-19 crisis.
According to the company’s website, “Babylon’s mission is to put an accessible and affordable health service in the hands of every person on earth.” They make this possible by bringing doctors and patients together via their in-app video consultation sessions.
An app user Rory Glover tweeted: “Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!”
BBC reported, the London-based company has confirmed the breach:
“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” said Babylon in statement. “Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”
On Wednesday, the firm further clarified that a total of three patients and not one patient had inadvertent access to the video sessions.
“This was the result of a software error rather than a malicious attack,” they said. “The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”
Naturally, medical data is regarded as highly personally identifiable information demanding stringent security across jurisdictions around the world. Luckily, the company reassured “affected users were in the UK only and this did not impact our international operations.”
The Information Commissioner’s Office (ICO) confirmed that they were notified by Babylon about the breach and is awaiting a report from the company, with findings related to the incident.
“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” said an ICO spokesperson. “When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”
Babylon told the BBC they have already been in touch with everyone involved to inform them, and to apologise.