Healthcare Provider Babylon Reports Data Breach

Healthcare provider Babylon has reported a data breach of its GP video appointment app.

Whilst the company said it has fixed an issue where video recordings of other patients' consultations could be accessed, and notified regulators, one UK-based user found he had access to 50 videos in the Consultation Replays section of the app, and one contained footage of another person's appointment.

According to BBC News, Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video. 

In a statement, Babylon said it was able to identify and resolve the issue within two hours, and blamed a software error. “Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients' consultations through a subsection of the user's profile within the Babylon app."

Babylon told the BBC it had already been in touch with everyone involved to inform them and apologize, and had contacted the Information Commissioner's Office regarding the incident.

The ability to identify and resolve the issue within two hours was commended by cybersecurity commentators.

Tony Pepper, CEO, Egress, said vendors like Babylon offering technology to support new ways of working must ensure data security is core to anything they're developing, and “this includes fully authenticating users before they access data and making sure data isn't deposited, replicated or transferred into portals or insecure areas where it can be subject to unauthorized access.”

Brian Higgins, security specialist at Comparitech.com, added that, as the NHS operates its own App Store, any platforms offered by NHS services including GPS etc. are rigorously tested before they are certified for use. He said: “Babylon Health have clearly explained that this issue was caused by an internal software update and not by any malicious or criminal activity. They have also followed their ICO reporting responsibilities. In short, they appear to have done everything right. 

“What this case highlights is that developing technology is fluid and what might be deemed safe and secure at the point of sale needs regular monitoring to ensure that it stays that way.”

Kelvin Murray, senior threat researcher at Webroot, said: “Anyone who develops an app that handles sensitive customer data should ask themselves two important questions – is it secure and is it really necessary? We’re seeing that breaches such as these are all too common and anyone looking to save time and money by moving to a digital system should take risks such as these into consideration.

“This is especially important in the healthcare industry which is at particular risk of cyber-attacks and data breaches, as information such as health records is very valuable to criminals. It will always command high prices on the dark web as it can be used for criminal activities such as fraud, extortion and in the drug trade.”
 
Aman Johal, lawyer and director of Your Lawyers, said with doctors difficult to access due to COVID-19 restrictions, many people are relying on technological solutions like Babylon Health. “Data breaches like this show that there is still much more that needs to be done to ensure we can trust in the use of such technology. Healthcare organizations can be particularly vulnerable to data breaches due to the wealth of highly sensitive information they hold, and firms operating in this sector must go the extra mile to ensure data is protected, or face the consequences.”

What’s Hot on Infosecurity Magazine?