Patients using a smartphone app developed by the private health firm Babylon to book GP appointments were inadvertently given access to videos recorded by other patients.
The company has admitted that the data breach was as a result of a software error whereby a new feature worked improperly, showing videos recorded by other people when patients who booked an audio-only consultation switched to video.
The issue was first flagged by a clinician yesterday afternoon, the company told IT Pro, about an hour before reports began circulating on social media. Developers then switched off the video access feature within two hours and begun assessing who had been impacted.
One patient, Rory Glover, tweeted yesterday afternoon to complain that he was given access to more than 50 video consultations belonging to other patients through the Babylon app.
“We give out data to these companies in good faith because we believe our information will be kept secure,” Glover added in response to another user. “Personally, I just hope Babylon gather learnings from this monumental error to stop it happening again.”
Any data breach of this nature would raise alarms due to the sensitive nature of the content shared with other patients in the recordings.
While Babylon revealed a “very small group of people” were affected, no exact figures were provided over how many patients' recordings were shared against their consent. The company identified three instances where patients were able to view the videos of others.
“On the afternoon of Tuesday 9th June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” a spokesperson said.
"Our investigation showed that two other patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon App.”
“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”
Babylon added that only users in the UK were affected and that it has informed the Information Commissioner’s Office (ICO).
“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law," an ICO spokesperson told IT Pro.
"When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.
“It is an organisation’s responsibility to fully assess a breach and then judge whether or not they need to report it the ICO. Where possible, this should be done within 72 hours. If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.
“Babylon Health contacted the ICO regarding an incident and advice was provided”.
Health secretary Matt Hancock previously courted controversy for singling out Babylon Health for endorsement in late 2018 in a sponsored newspaper supplement. In doing so, he was accused of breaching the ministerial code.
GP at Hand, meanwhile, the NHS service developed by Babylon, was previously reprimanded by the Advertising Standards Authority (ASA) for misleading patients with claims they can secure a GP booking ‘within seconds’.
Sam Smith, co-ordinator of medConfidential, told IT Pro the incident appeared to be a basic failure of access control, adding it's a catastrophic yet simple issue; not a complex failure.
"Babylon's AI claims have failed in the face of scrutiny, and this shows the failures run far deeper than suspected," Smith said. "This is an egregious breach undermining any claim of technical competence."
IT Pro also approached the Department of Health and Social Care (DHSC) for comment.
-
Confusion as MITRE CVE meets federal contract expiryNews The cyber database is invaluable to security teams the world over, helping flag the most urgent vulnerabilities
-
AI-first partnerships: Unlocking scalable growth for businessChannel partners play a vital role in facilitating AI adoption, but there's more to offering support than simple integration
-
PyPI attack: Targeting of repository 'shows no sign of stopping'News Greater collaboration and understanding of attackers’ tactics is key to mitigating open source security threats
-
Capita's handling of cyber attack shows companies still fail at breach reportingAnalysis Capita initially told customers there was “no evidence” of data having been compromised in the March cyber attack
-
Malware being pushed to businesses by search engines remains a pervasive threatNews High-profile malvertising campaigns in recent months have surged
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Five things to consider before choosing an MFA solutionIn-depth Because we all should move on from using “password” as a password
-
Cyber security suffers from a communication problemNews Negative language around ‘human failures’ is eroding trust between security teams and broader business functions - it has to stop
-
Does LastPass really deserve a last chance?Opinion After several disastrous security incidents and a communications breakdown, it’s time to leave LastPass for pastures new
-
What is the spell-jacking vulnerability and how can your business avoid exposing data?
In-depth Spell-jacking vulnerabilities are threatening to unwittingly leak data to third parties, undermining any drive to protect privacy
