Babylon Health Suffers Data Breach, Showed Other Patients’ Video Consultations

Babylon Health, a UK-based telehealth app, has suffered a data breach that accidentally allowed app users access to other patients’ video medical consultations with doctors, reports BBC. 

For those unaware, Babylon Health, which has more than 2.3 million registered users in the UK, is a health service provider that provides remote consultations with doctors and health care professionals via text and video messaging through its mobile application.

The data breach was first discovered by a Twitter user (@Rory_Glover) who said on Tuesday that after signing in the app, he could see 50 or so videos belonging to others via the Babylon Health app under the Consultation Replays section that did not belong to him. 

When Glover clicked on one of the replays, he found that the file contained footage of another person’s appointment.

“I was shocked,” he told the BBC.

“You don’t expect to see anything like that when you’re using a trusted app. It’s shocking to see such a monumental error has been made.”

Glover said he brought the issue to the notice of a work colleague, who used to work for Babylon. He, in turn, highlighted the issue to the company’s compliance department.

Subsequently, Glover’s access to the clips was revoked.

Babylon Health has since admitted the data breach and said it was related to a “software error” and not a malicious attack. The software glitch was accidentally introduced via a new feature that allows users to switch from audio to video consultations part way through a call.

According to the company, only a small number of users in the UK were able to view other users’ sessions. Further, Babylon has since fixed the issue and no users would be able to view consultations other than their own henceforth.

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” a spokesperson for Babylon said in a statement. 

“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app,” the statement continued. 

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. 

“Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.

“We proactively notified the Information Commissioner’s Office and will share all the necessary information around this.

“Affected users were in the UK only and this did not impact our international operations.”