Babylon Health data breach exposes user medical records to strangers

(Image credit: Shutterstock / Devina Saputri)

Babylon Health has confirmed its telehealth consultation platform was subject to a data breach that exposed the medical records of a number of users.

The incident was not the result of a cyberattack, but rather a software error that led to a handful of users being able to access recordings of other patients’ virtual consultations.

The bug, already known to Babylon engineers prior to the incident, was reportedly introduced alongside a new feature that allows patients to switch between audio and video modes in the middle of a consultation.

The firm has informed and apologized to the patients whose data was compromised in the breach, all of whom are UK residents.

Babylon Health data breach

Telehealth services have been under the spotlight since coronavirus lockdown measures were introduced, with routine visits to hospitals and GPs made difficult - if not impossible - by the pandemic.

As a result of this shift, analysts at Forrester expect general medicine care interactions via these platforms to surpass 200 million this year, more than quadruple the original estimate.

UK-based Babylon Health allows patients to video chat with doctors via smartphone and arrange for digital prescriptions to be delivered to their local pharmacy. The app also allows users to monitor various health-related metrics to better assess their physical and mental condition.

Babylon Health has acknowledged the embarrassing incident, but has not confirmed the total number of patients affected by the breach. 

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” reads a statement issued by the firm.

“Our investigation showed that three patients, who had booked and had appointments, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”

The company later rectified its statement to reflect that three users in total gained access to recordings, one of which viewed another patient’s consultation.

According to Kate Bevan, Computing Editor at consumer rights watchdog Which?, although cybersecurity is an important consideration for any business, telehealth platforms have an additional responsibility to protect customer data, given its highly sensitive nature.

“No one would invite a complete stranger to sit next to them in the doctor’s surgery, which is why this Babylon Health breach is so alarming,” she said.

“If consumers are to trust new digital health services and feel comfortable accessing health services online, security must be second to none.”

The Information Commissioner’s Office (ICO) confirmed it has been informed of the incident and that Babylon Health will soon provide a full breach report.

Via BBC

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.