Babylon Health, makers of a smartphone app that allows Brits to have consultations with NHS doctors, has admitted that a “software error” resulted in some users being able to access other patients’ private video chats with GPs.

The data breach came to light after one user, Rory Glover, tweeted that he was shocked to find the app’s “GP at Hand” functionality had given him unauthorised access to “over 50 video recordings”:

AWS Builder Community Hub

“Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!”

Glover attached a screenshot, showing that it was possible to replay the medical consultations on his Android smartphone:

Babylon Health app leak

In a statement given to The Guardian, Babylon Health confirmed the breach, and said that only three patients booking appointments had been presented with other patients’ video recordings:

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.”

“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”

A Babylon Health spokesperson separately claimed that the firm’s software engineering department was already aware of the issue before it was made aware of Glover’s discovery.

As the underlying problem was a software problem I did wonder how only three patients (Read more...)