[BreachExchange] Babylon Health admits ‘software error’ led to patient data breach

Destry Winant destry at riskbasedsecurity.com
Thu Jun 11 10:21:40 EDT 2020


Babylon Health,  a UK AI chatbot and telehealth startup which has been
valued in excess of $2BN, has suffered an embarrassing data breach
after a user of the app found he was able to access other patients’
video consultations.

“Why have I got access to other patients video consultations through
your app?” tweeted Rory Glover yesterday. “This is a massive data
breach. Over 50 video recordings are on this list!”

We’ve reached out to Babylon Health with questions.

Rory G at Rory_Glover

@babylonhealth Why have I got access to other patients video
consultations through your app? This is a massive data breach. Over 50
video recordings are on this list!

7:16 AM - Jun 9, 2020
Twitter Ads info and privacy

359 people are talking about this

The company confirmed the breach yesterday, telling the BBC that a
“software error” related to a feature that lets users switch from
audio to video-based consultations part way through a call had caused
a “small number” of UK users to be able to see others sessions.

In all it claimed three users were able to access other patients’
data. It’s not clear how many patients’ consultations were erroneously
presented to those three (or whether they would each have been able to
view each others’).

“On the afternoon of Tuesday 9 June we identified and resolved an
issue within two hours whereby one patient accessed the introduction
of another patient’s consultation recording. Our investigation showed
that three patients, who had booked and had appointments today, were
incorrectly presented with, but did not view, recordings of other
patients’ consultations through a subsection of the user’s profile
within the Babylon app,” the company said in a statement.

“This was the result of a software error rather than a malicious
attack. The problem was identified and resolved quickly. Of course we
take any security issue, however small, very seriously and have
contacted the patients affected to update, apologise to and support
where required.”

“Affected users were in the UK only and this did not impact our
international operations,” it added.

While Babylon is spinning this breach as “small” — and in numbers
affected terms that seems to be the case — medical information is
among the most sensitive personal data there is.

Under UK and EU law people’s health data is considered ‘special
category data’ — meaning the highest standard of data protection
applies. Breaches of the General Data Protection Regulation,
meanwhile, can attract very large financial penalties — of up to 4% of
global annual turnover.

Reached for comment on the Babylon data breach, the UK’s data watchdog
confirmed the company had contacted it regarding “an incident”, noting
that “advice was provided”.

In a statement the ICO added:

People’s medical data is highly sensitive information, not only do
people expect it to be handled carefully and securely, organisations
also have a responsibility under the law. When a data incident occurs,
we would expect an organisation to consider whether it is appropriate
to contact the people affected, and to consider whether there are
steps that can be taken to protect them from any potential adverse

It is an organisation’s responsibility to fully assess a breach and
then judge whether or not they need to report it the ICO. Where
possible, this should be done within 72 hours. If an organisation
decides that a breach doesn’t need to be reported they should keep
their own record of it, and be able to explain why it wasn’t reported
if necessary.

In the UK Babylon encourages users to replace their bricks-and-mortar
GP with virtual consultations via its app.

More recently, it’s been making a push into the US market — including
investing in health kiosk operator Higi in a deal that will see it
gain access to data on users of the 10,000+ free-to-use kiosks.

Domestically, the startup has benefitted from high profile ministerial
backing, with health secretary Matt Hancock  a public fan and user —
albeit that was before he learnt about this latest security snafu…

Ryan Browne✔@Ryan_Browne_

Matt Hancock, clearly unaware he's still audible on this CogX talk,
says he had no idea about Babylon data breach reported today. He says
he should have known, "especially since they're my GP. Honestly, they
know more about my bunion than anybody."

4:32 AM - Jun 10, 2020
Twitter Ads info and privacy

133 people are talking about this

Glover told the BBC he had been “shocked” by the data breach, adding
that he does not intend to continue using Babylon’s app as a result of
privacy concerns.

The patient data breach is not the first security alarm raised about
Babylon’s app: Earlier this year the company attracted attention after
it published information pertaining to a user of its app, Dr David
Watkins, who has spent years raising patient safety concerns related
to its symptom triage chatbot service.

More information about the BreachExchange mailing list