Security

Patient video consultations leaked in medical data breach: Babylon Health UK

 

In an a unfortunate incident, video consultants of some patients using the Babylon Health app were leaked to other users of the app. It couldn’t be a worse time for an incident like this to take place, given all the panic surrounding the COVID-19 crisis.

According to the company’s website, “Babylon’s mission is to put an accessible and affordable health service in the hands of every person on earth.” They make this possible by bringing doctors and patients together via their in-app video consultation sessions.

An app user Rory Glover tweeted: “Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!”

 

 

Image credit: Rory G (Twitter)

BBC reported, the London-based company has confirmed the breach:

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” said Babylon in statement. “Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”

On Wednesday, the firm further clarified that a total of three patients and not one patient had inadvertent access to the video sessions.

“This was the result of a software error rather than a malicious attack,” they said. “The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”

Naturally, medical data is regarded as highly personally identifiable information demanding stringent security across jurisdictions around the world. Luckily, the company reassured “affected users were in the UK only and this did not impact our international operations.”

The Information Commissioner’s Office (ICO) confirmed that they were notified by Babylon about the breach and is awaiting a report from the company, with findings related to the incident.

“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” said an ICO spokesperson. “When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”

Babylon told the BBC  they have already been in touch with everyone involved to inform them, and to apologise.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.