The error was discovered after a Babylon Health user was mistakenly given access to another user’s video consultation recordings through the company’s app.
Babylon Health, a UK-based AI chatbot and telehealth start-up that was valued at more than $2bn after a $550m funding round last year, has confirmed that its platform suffered a data breach.
The start-up provides services to the NHS as well as companies such as Prudential, Samsung, Telus and Bupa. The breach became public knowledge last week after a customer using Babylon Health’s technology through Bupa tweeted that he could access recordings belonging to other patients using the app.
Rory Glover, who lives in Leeds, said: “Why have I got access to other patients’ video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list.”
Glover told the BBC that he was “shocked” to see data exposed on a “trusted app”. He described it as a “monumental error”.
— Rory G (@Rory_Glover) June 9, 2020
Babylon Health’s response
Babylon Health has since acknowledged the breach and said that the issue has been fixed and the appropriate regulators have been notified. The company said the incident occurred due to a “software error and not a malicious attack”.
In a statement, the company said: “On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.
“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.
“Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise and support where required.”
The company said that the software problem was accidentally introduced to the app when it was launching a new feature that allows users to switch from audio to video-based consultations during a call.
Glover told the BBC that he does not intend to use the app again. “It’s an issue of doctor-patient confidentiality,” he said. “You expect anything you say to be private, not for it to be shared with a stranger.”
‘Highly sensitive information’
The UK Information Commissioner’s Office (ICO) said that it provided advice to the healthtech start-up following the breach.
“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” the ICO said.
“When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected and to consider where there are steps that can be taken to protect them from any potential adverse effects.”
In a notice to patients, Babylon Health said that it has “launched an in-depth investigation into this incident to identify exactly what went wrong and to ensure that it doesn’t happen again”.