The breach was discovered by a Babylon Health user who was mistakenly provided access to other patients’ video consultation recordings through the company’s app.
Babylon Health, a UK AI chatbot and telehealth start-up that was valued at more than $2bn after a $550m funding round last year, recently told the BBC that its platform has suffered a data breach.
Babylon Health’s technology is used by the NHS as well as companies such as Prudential, Samsung, Telus and Bupa. The breach became public knowledge after a customer using the product through Bupa tweeted that he could access recordings belonging to other patients using the app.
Rory Glover, who lives in Leeds, tweeted the company. He asked: “Why have I got access to other patients’ video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list.”
— Rory G (@Rory_Glover) June 9, 2020
Glover told the BBC that he was “shocked” to see data exposed on a “trusted app.” He described it as a “monumental error.”
Babylon Health’s response
Babylon Health has since acknowledged the breach and said that the issue has been fixed and the appropriate regulators have been notified. Babylon health said the breach occurred due to a software error, rather than a malicious attack.
The firm said that the breach only affected users in the UK.
In a statement, the company said: “On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.
“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”
The company said: “Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise and support where required.”
A spokesperson for Babylon Health said that the software problem was accidentally introduced to the app through a new feature that allowed users to switch from audio to video-based consultations part way through a call.
After discovering the breach, Glover told the BBC that he does not intend to use the app again. He said: “It’s an issue of doctor-patient confidentiality. You expect anything you say to be private, not for it to be shared with a stranger.”
This is the second time that privacy concerns have publicly been raised against Babylon Health this year. The first occurred in February, when the company “pulled app data on a critical user” in order to “publicly attack” him after he expressed concerns, according to TechCrunch.
The Information Commissioner’s response
The UK Information Commissioner’s Office (ICO) said that it provided “advice” to the healthtech start-up following the breach, which affected data treated under the highest standard of data protection in the UK.
The ICO said: “People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.
“When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected and to consider where there are steps that can be taken to protect them from any potential adverse effects.”
The independent authority, which was set up to uphold information rights in the public interest, said that it is an organisation’s responsibility to fully assess a breach and judge if it needs to be reported to the authority.
“Where possible, this should be done within 72 hours,” the ICO said. “If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”