Babylon Health has admitted its GP app suffered a data breach after a user was able to access video recordings of other patients’ consultations.
The company confirmed that three patients were able to view recordings of other patient’s consultations using the GP at Hand app.
It said the issue was caused by a software error and had since been fixed, adding regulators had been notified.
Rory Glover said he was able to access more than 50 video recordings when he signed on to GP at Hand, Babylon’s digital primary care app.
Flagging his concern on Twitter, Glover said he had reported the “massive data breach” to the Information Commissioners Office (ICO).
— Rory G (@Rory_Glover) June 9, 2020
A spokesperson for Babylon said the issue was caused by a new feature allowing users to switch from audio-only to video consultations.
“On the afternoon of Tuesday, 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” they said.
“Our investigation showed that two other patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon App.
“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly.”
The company’s data protection officer also alerted the ICO.
“Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required,” the spokesperson added.
“We proactively notified the Information Commissioner’s Office and will share all the necessary information around this. Affected users were in the UK only and this did not impact our international operations.”
A spokesperson for the ICO said it had provided Babylon with advice following the breach.
“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” a spokesperson said.
“When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.
“It is an organisation’s responsibility to fully assess a breach and then judge whether or not they need to report it the ICO. Where possible, this should be done within 72 hours.”
Organisations who deem their breach doesn’t need to be reported are required to keep their own record.