Online GP app Babylon Health suffers data breach allowing users to see other patients’ consultations

by

Online GP app Babylon Health suffers major data breach after users are able to see dozens of private consultations between doctors and patients

  • Babylon Health lets its 2.3m users speak to a doctor through a smartphone call 
  • One patient found he had access to dozens of video recordings of other users 
  • The company found a small number of users could see others’ personal sessions
  • Babylon has since said it has fixed the problem and regulators have been notified

By Henry Martin For Mailonline

Published: | Updated:

Online GP video appointment app Babylon Health suffered a data breach allowing some users to see other patients’ private consultations. 

Babylon, which has more than 2.3 million users, lets members speak to a doctor, therapist or other health specialist about their issues through a smartphone video call, and can send an electronic prescription to a pharmacy if appropriate.   

But one user found he had access to dozens of video recordings of other patients’ consultations, and a follow-up check by the company established that a small number of British users could also see others’ personal sessions, the BBC reported. 

Babylon Health has since said it has fixed the problem and regulators have been notified.

Babylon, which has more than 2.3 million users, lets members speak to a doctor, therapist or other health specialist about their issues through a smartphone video call

Rory Glover, who lives in Leeds, wanted to check a prescription on Tuesday morning and found around 50 videos in the app that were not his (pictured)

Rory Glover, who lives in Leeds, wanted to check a prescription on Tuesday morning and found around 50 videos in the app that were not his (pictured)

HOW BABYLON HEALTH WORKS

Patients download the Babylon Health app and provide their name and a password.

They are first asked their date of birth – only over 16s can use the app as it has not been rigorously tested on children.

Patients are then asked to ‘briefly describe the symptom that’s worrying you most’.

If they reply a headache, for example, they will be asked up to 30 other questions.

They will be asked where in the head they feel the pain, how long they have had it and whether it came on suddenly.

Other questions include whether patients have any other symptoms such as dizziness, flashing lights in their eyes or sickness.

They will also be asked if they have lost or gained weight (weight loss can be a sign of cancer) and if they are more stressed.

At the end of the questions, patients will be told the most likely cause of their symptoms and the action they should take.

An example message reads: ‘People with symptoms similar to yours usually have the following conditions: tension headache.

‘This can usually be treated by a pharmacist’.

They will also be given a second possible cause, which in this example would be a cluster headache.

The message reads: ‘Another possible cause of these symptoms is Cluster headache (attacks of severe, one-sided headaches which occur in clusters).

‘This usually requires seeing a GP’.

Rory Glover, who lives in Leeds, wanted to check a prescription on Tuesday morning and found around 50 videos in the app that were not his. 

Mr Glover, who can access the service through his membership with Babylon’s partner Bupa, said he was ‘shocked’ when he clicked on one video in the Consultation Replays section and found another person’s appointment. 

‘You don’t expect to see anything like that when you’re using a trusted app,’ he said. ‘It’s shocking to see such a monumental error has been made.’

He told a work colleague who used to work for Babylon, which is based in London, about the breach, and the issue was than flagged to the company’s compliance department. 

Mr Glover then had his access to the clips removed, and Babylon confirmed the breach. 

A Babylon spokesperson told MailOnline that clinicians discovered the issue about an hour before they were notified by Mr Glover – and within two hours they had switched off the video access and already begun assessing who had been impacted. 

He added that it was a very small group of people who were affected because it came through a new feature where people who booked an audio-only consultation that day, then switched to video – which is how the error occurred. 

The company said in a statement: ‘On the afternoon of Tuesday 9th June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording. 

‘Our investigation showed that two other patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon App.

‘This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. 

‘Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.

‘We proactively notified the Information Commissioner’s Office and will share all the necessary information around this.

‘Affected users were in the UK only and this did not impact our international operations.’

A spokesman also said that the company’s engineering team already knew about the issue before Mr Glover’s colleague contacted them, and the problem was introduced accidentally through a new feature which allows users to change from audio to video consultations during a call, reports indicate.