Glitch in Babylon Health app leaked patients’ video recordings

Glitch in Babylon Health app leaked patients’ video recordings

Project Nightingale

Healthcare services provider Babylon Health has announced that a data security incident, that allowed patients to access video recordings of other patients’ consultations, occurred due to a software error and not because of a cyber attack.

Earlier today, it came to light that some Babylon Health customers were able to see video recordings of other patients’ consultations on the GP video consultation app run by the healthcare services provider.

The Babylon GP app allows people to interact with an NHS GP any time or day of the year through their phone, tablet, or computer or to have face-to-face appointments with GPs Monday to Friday 8 am-6:30 pm. Video consultations can be booked with just 30 minutes’ notice and the app allows users to replay consultations and see medical records and notes, have prescriptions delivered to a pharmacist of their choice, and get information on various symptoms and what to do next.

After the data security incident came into light, Babylon Health told the Guardian: “On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.

“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course, we take any security issue, however small, very seriously, and have contacted the patients affected to update, apologise to, and support where required.”

Rory Glover, a user of the Babylon GP app, posted on Twitter that he could see over fifty video recordings of other patients’ consultations. According to BBC, Babylon’s engineering team was already aware of the issue before Glover discovered that he had access to the recordings. A Babylon spokesman told BBC that “the problem had been accidentally introduced via a new feature that lets users switch from audio to video-based consultations part way through a call.”

https://twitter.com/Rory_Glover/status/1270329006672564227

Commenting on the security incident involving Babylon Health, Joseph Carson, chief security scientist at Thycotic, told Teiss that while the risk was limited, it is a scary thought that sensitive patient data via video consultations could be accidentally disclosed. This is a reminder of how important the principle of least privilege is along with strong access controls that reduce accidental data disclosures.

“This has become an all too common occurrence, as highlighted in the recent 2020 Verizon Data Breach Investigations Report which revealed that human error and misconfigurations are on the rise and contributing to many data breaches,” he added.

Niamh Muldoon, senior director of trust and security at OneLogin, said that while it seems Babylon did the right thing by notifying the public, regulators, and fixing the issue, this kind of data breach still remains a serious cause for concern. By allowing members of the public’s GP sessions to become public, they potentially revealed among the most sensitive information available about an individual’s health, which could in turn be leveraged by further cybercriminals using the information for social engineering campaigns.

“Malicious attackers know that moving to digital with cloud technology platforms is still very new for many industries including healthcare. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services, and CRM. Organisations should recognize the importance of security and privacy and partner with security platforms who can support them reducing risks and breaches like above. MFA is a strong control used to reduce the risk of unauthorised access to data and systems this includes video conferencing.

“I recommend taking the time to carry out a review of all your other online accounts and if any of your online accounts use the same credentials including password as your Babylon account — Multi-factor authentication (MFA) is currently the best method by which organisations can protect themselves from such breaches, proven to prevent 99.9% of account takeovers. Whether it be a soft token, hard token, certificate, or SMS, companies should look at implementing MFA across the board,” Muldoon added.

ALSO READ: Software glitch compromised health data of 150,000 NHS patients

Copyright Lyonsdown Limited 2021

Top Articles

Carnival Cruises hit by fourth data breach in 18 months

Carnival Cruises, one of the world’s largest cruise ship operators, has confirmed that it suffered another data breach in mid-March.

NHS Test & Trace Consolidates Cyber Security

NHS Test and Trace has teamed up with cybersecurity company Risk Ledger to proactively manage its supply chain cybersecurity risks.

The expert view: Accelerating the journey to the cloud

At a virtual seminar on 9 June 2021, sponsored by managed IT service provider Sungard Availability Services, eight senior IT decision makers gathered to discuss how organisations can accelerate their…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]