A breach at Babylon Health caused by what the telehealth company called a “software error” allowed app users to gain access to other users’ video consults with doctors.
A user reported that after signing on, 50 or so videos belonging to others appeared in Consultation Replays section of the Babylon Health app, according to a BBC report.
“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” the telehealth start-up said in a statement cited by the report, underscoring the issue stemmed from a glitch not a malicious incident. “Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”
“While getting telehealth applications up and running effectively with little to no downtime is a priority, security cannot be left behind in the rush, especially with sensitive and personal healthcare data on the line,” said Mark Rogan, DAST manager, vulnerability verification, Europe, at WhiteHat Security. “The stakes are high – healthcare data is among the most valuable and personally important private information shared between organizations in any area of society.”
Emerging healthtech startups like Babylon Health “must ensure that data protection is of the utmost priority, especially when sensitive patient data is collected, recorded and stored,” said LogRhythm Labs CSO and Vice President James Carder. “The healthcare sector’s access to vast, valuable data types are a key target for various intelligent threat actors.”
Noting that “Babylon Health has yet to disclose exactly what this software error was,” Carder said, “the breach could have been due to a lack of segregation between patients, the improper use of a shared repository, or a basic web application security flaw allowing users to access each other’s data.”
Aman Johal, lawyer and director at Your Lawyers,called it “extremely alarming to hear that a user of the Babylon Health app has been able to access dozens of confidential video recordings of other patients’ consultations. With more than 2.3 million registered users in the U.K., we are concerned that many more may have been affected with extremely private information leaked.”
Carder said more details were needed about the incident “as to why and how only three users were given access to the recordings should be uncovered.”