Glitch in Babylon Health app leaked patients’ video recordings

Healthcare services provider Babylon Health has announced that a data security incident, that allowed patients to access video recordings of other patients' consultations, occurred due to a software error and not because of a cyber attack.

Earlier today, it came to light that some Babylon Health customers were able to see video recordings of other patients’ consultations on the GP video consultation app run by the healthcare services provider.

The Babylon GP app allows people to interact with an NHS GP any time or day of the year through their phone, tablet, or computer or to have face-to-face appointments with GPs Monday to Friday 8 am-6:30 pm. Video consultations can be booked with just 30 minutes' notice and the app allows users to replay consultations and see medical records and notes, have prescriptions delivered to a pharmacist of their choice, and get information on various symptoms and what to do next.

After the data security incident came into light, Babylon Health told the Guardian: “On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.

“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course, we take any security issue, however small, very seriously, and have contacted the patients affected to update, apologise to, and support where required.”

Rory Glover, a user of the Babylon GP app, posted on Twitter that he could see over fifty video recordings of other patients' consultations. According to BBC, Babylon's engineering team was already aware of the issue before Glover discovered that he had access to the recordings. A Babylon spokesman told BBC that "the problem had been accidentally introduced via a new feature that lets users switch from audio to video-based consultations part way through a call."

Commenting on the security incident involving Babylon Health, Joseph Carson, chief security scientist at Thycotic, told Teiss that while the risk was limited, it is a scary thought that sensitive patient data via video consultations could be accidentally disclosed. This is a reminder of how important the principle of least privilege is along with strong access controls that reduce accidental data disclosures.

"This has become an all too common occurrence, as highlighted in the recent 2020 Verizon Data Breach Investigations Report which revealed that human error and misconfigurations are on the rise and contributing to many data breaches," he added.

Niamh Muldoon, senior director of trust and security at OneLogin, said that while it seems Babylon did the right thing by notifying the public, regulators, and fixing the issue, this kind of data breach still remains a serious cause for concern. By allowing members of the public’s GP sessions to become public, they potentially revealed among the most sensitive information available about an individual’s health, which could in turn be leveraged by further cybercriminals using the information for social engineering campaigns.

"Malicious attackers know that moving to digital with cloud technology platforms is still very new for many industries including healthcare. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services, and CRM. Organisations should recognize the importance of security and privacy and partner with security platforms who can support them reducing risks and breaches like above. MFA is a strong control used to reduce the risk of unauthorised access to data and systems this includes video conferencing.

"I recommend taking the time to carry out a review of all your other online accounts and if any of your online accounts use the same credentials including password as your Babylon account -- Multi-factor authentication (MFA) is currently the best method by which organisations can protect themselves from such breaches, proven to prevent 99.9% of account takeovers. Whether it be a soft token, hard token, certificate, or SMS, companies should look at implementing MFA across the board," Muldoon added.

ALSO READ: Software glitch compromised health data of 150,000 NHS patients

MORE ABOUT: