London-based digital firm Babylon Health has admitted that a data breach occurred that allowed a patient to access recordings of another patient’s consultation via the GP at Hand app.
The app, which has more than 2.3 million UK users, allows members to book medical appointments, access a triage chatbot and have consultations with NHS doctors via smartphone video call.
A Babylon spokesperson says the error occurred through a new feature that allows people who booked an audio-only consultation to switch to video part way through a call.
The firm claims the breach only affected “a very small group of people” and it was aware of the issue an hour before being alerted by a user.
WHY IT MATTERS
Even a small data breach highlights exploitable vulnerabilities in a system, according to Dr Saif F Abed, founding partner and director of cybersecurity advisory services AbedGraham.
“What starts as an accident that’s quickly resolved could actually paint a target on a vendor, and especially a high profile one, for malicious and sustained attacks,” Abed said.
To counteract this, Abed said that healthcare providers need to ensure they have security and clinical risk audits ingrained as a part of procurement and beyond with their suppliers and especially startups.
“Incidents like this are only going to increase as telehealth adoption continues its rise due to the COVID-19 pandemic. We have to remember that today we might be talking about a data breach, but tomorrow it could be a complete loss of service or even clinical data tampering because of an attack,” he added.
THE LARGER CONTEXT
The GP at Hand app is no stranger to controversy. The rollout of the app in Birmingham was delayed by NHS officials due to patient safety concerns. Babylon also came under fire for privacy issues earlier this year when it publicly analysed details of a prominent critic’s search data.
ON THE RECORD
A Babylon spokesperson said: “On the afternoon of Tuesday 9th June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording. Our investigation showed that two other patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.
“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.
“We proactively notified the Information Commissioner’s Office and will share all the necessary information around this.
“Affected users were in the UK only and this did not impact our international operations.”