Babylon Health GP App Suffered Data Breach

doctor computer

Babylon Health, a company active in telehealth, have suffered a data breach. The firm was alerted by a UK user, saying that he could access other video recordings of other patients’ consultations. The breach was caused by a software error. According to the firm only three UK users were affected and the issue has been resolved.

Telehealth Market

The current pandemic limits physical contact. This limit is an issue for many businesses, but it has definitely been a challenge for doctors. That is why governments and organizations have made a move towards technology to inform people about their health. Many track and trace apps that are developed are paired with an app that can be used to ask questions to healthcare professionals.

Babylon Health’s app functions in a similar way. It provides a chatbot that can diagnose basic problems. You can also use it for video consultations with an actual doctor trough a feature that’s called GP at Hand.

Software Error

Babylon confirmed the data breach on Tuesday. The company told the BBC that a software error led to a small number of users in the UK being able to watch other patients’ video sessions. Three users were able to see other patients’ data. The breach was not caused by a malicious attack, but by a software error and the patients that were affected were contacted.

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording. Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app,” the company said in a statement.

GDPR

Even though Babylon is trying to spin this story as a small issue that was resolved within no time, you need to take a moment to realize that medical information is the most sensitive data there is. UK and EU law have categorized it as ‘special category data’, which means that the highest level of data protection needs to apply.

When a company violates the General Data Protection Regulation (GDPR), they can be penalized financially. This fine can go up to four percent of global annual turnover. The Information Commissioner’s Office (ICO) confirmed that they were contacted by Babylon about the breach and that advice was provided.

A ICO spokesperson said: “People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organizations also have a responsibility under the law. When a data incident occurs, we would expect an organization to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”

Criticized by NHS

Babylon’s AI platform has faced major criticism. Babylon was founded in 2016, in South West London. Since the start, many people outside the district were using the platform. Which meant that the local National Health Service (NHS) authority had to pay for patients that weren’t part of their district. That resulted in financial issues.

Another issue that surfaced was that GPs get a certain amount of money for each patient that they register. So it would be better for the company when easy cases are registered instead of the more complicated – and often more expensive – patients. This means that healthcare isn’t the thing that is put first by the company, profits are.

The GP at Hand chatbot has attracted criticism as well. In December 2018, medical staff working for Babylon voiced their concern about the results the chatbot produces. Features like these are relatively new on the market and companies need time to update their systems. And even then they can’t guarantee flawless results.

Expansion

But the firm keeps growing. Last year, the company announced that they received $550 million in funding. The money will be used to expand to the US and Asia. GP at Hand already launched in Canada last month.

Last month, Babylon also invested in health kiosk operator Higi, a company that has built a network of health stations all over the US. Users can check their blood pressure, pulse, weight, and BMI for free at one of these stations. This deal means that Babylon now has access to data of over 10,000 users in the US.

The company made it very clear in their statement that only users in the UK were affected. Babylon’s international operations were not impacted.

Cybersecurity analyst
David is a cyber security analyst and one of the founders of VPNoverview.com. Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.