Babylon Health admits ‘software error’ led to patient data breach

Babylon Health, a UK AI chatbot and telehealth startup which has been valued in excess of $2BN, has suffered an embarrassing data breach after a user of the app found he was able to access other patients’ video consultations.

“Why have I got access to other patients video consultations through your app?” tweeted Rory Glover yesterday. “This is a massive data breach. Over 50 video recordings are on this list!”

We’ve reached out to Babylon Health with questions.

The company confirmed the breach yesterday, telling the BBC that a “software error” related to a feature that lets users switch from audio to video-based consultations part way through a call had caused a “small number” of UK users to be able to see others sessions.

In all it claimed three users were able to access other patients’ data. It’s not clear how many patients’ consultations were erroneously presented to those three (or whether they would each have been able to view each others’).

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording. Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app,” the company said in a statement.

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”

“Affected users were in the UK only and this did not impact our international operations,” it added.

While Babylon is spinning this breach as “small” — and in numbers affected terms that seems to be the case — medical information is among the most sensitive personal data there is.

Under UK and EU law people’s health data is considered ‘special category data’ — meaning the highest standard of data protection applies. Breaches of the General Data Protection Regulation, meanwhile, can attract very large financial penalties — of up to 4% of global annual turnover.

Reached for comment on the Babylon data breach, the UK’s data watchdog confirmed the company had contacted it regarding “an incident”, noting that “advice was provided”.

In a statement the ICO added:

People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law. When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.

It is an organisation’s responsibility to fully assess a breach and then judge whether or not they need to report it the ICO. Where possible, this should be done within 72 hours. If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.

In the UK Babylon encourages users to replace their bricks-and-mortar GP with virtual consultations via its app.

More recently, it’s been making a push into the US market — including investing in health kiosk operator Higi in a deal that will see it gain access to data on users of the 10,000+ free-to-use kiosks.

Domestically, the startup has benefitted from high profile ministerial backing, with health secretary Matt Hancock a public fan and user — albeit that was before he learnt about this latest security snafu…

Glover told the BBC he had been “shocked” by the data breach, adding that he does not intend to continue using Babylon’s app as a result of privacy concerns.

The patient data breach is not the first security alarm raised about Babylon’s app: Earlier this year the company attracted attention after it published information pertaining to a user of its app, Dr David Watkins, who has spent years raising patient safety concerns related to its symptom triage chatbot service.