Online GP app Babylon Health suffers major data breach after users are able to see dozens of private consultations between doctors and patients
- Babylon Health lets its 2.3m users speak to a doctor through a smartphone call
- One patient found he had access to dozens of video recordings of other users
- The company found a small number of users could see others’ personal sessions
- Babylon has since said it has fixed the problem and regulators have been notified
Online GP video appointment app Babylon Health suffered a data breach allowing some users to see other patients’ private consultations.
Babylon, which has more than 2.3 million users, lets members speak to a doctor, therapist or other health specialist about their issues through a smartphone video call, and can send an electronic prescription to a pharmacy if appropriate.
But one user found he had access to dozens of video recordings of other patients’ consultations, and a follow-up check by the company established that a small number of British users could also see others’ personal sessions, the BBC reported.
Babylon Health has since said it has fixed the problem and regulators have been notified.
Babylon, which has more than 2.3 million users, lets members speak to a doctor, therapist or other health specialist about their issues through a smartphone video call
Rory Glover, who lives in Leeds, wanted to check a prescription on Tuesday morning and found around 50 videos in the app that were not his (pictured)
Rory Glover, who lives in Leeds, wanted to check a prescription on Tuesday morning and found around 50 videos in the app that were not his.
Mr Glover, who can access the service through his membership with Babylon’s partner Bupa, said he was ‘shocked’ when he clicked on one video in the Consultation Replays section and found another person’s appointment.
‘You don’t expect to see anything like that when you’re using a trusted app,’ he said. ‘It’s shocking to see such a monumental error has been made.’
He told a work colleague who used to work for Babylon, which is based in London, about the breach, and the issue was than flagged to the company’s compliance department.
Mr Glover then had his access to the clips removed, and Babylon confirmed the breach.
A Babylon spokesperson told MailOnline that clinicians discovered the issue about an hour before they were notified by Mr Glover – and within two hours they had switched off the video access and already begun assessing who had been impacted.
He added that it was a very small group of people who were affected because it came through a new feature where people who booked an audio-only consultation that day, then switched to video – which is how the error occurred.
The company said in a statement: ‘On the afternoon of Tuesday 9th June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.
‘Our investigation showed that two other patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon App.
‘This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly.
‘Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.
‘We proactively notified the Information Commissioner’s Office and will share all the necessary information around this.
‘Affected users were in the UK only and this did not impact our international operations.’
A spokesman also said that the company’s engineering team already knew about the issue before Mr Glover’s colleague contacted them, and the problem was introduced accidentally through a new feature which allows users to change from audio to video consultations during a call, reports indicate.