Babylon Health’s GP appointment app has suffered a data breach, and health secretary Matt Hancock is among the app’s users.
The app allows users to access remote consultations with their GP via text and video messaging, both through NHS services or as part of health insurance packages, with 2.3 million registered users in the UK.
During the Covid-19 pandemic, many have used it as an alternative to visiting their doctor in person.
Babylon user Rory Glover told the BBC that upon logging into the app on Tuesday, he discovered he was able to view about 50 videos in the Consultation Replays section of the app showing footage of other users’ appointments.
Babylon later confirmed that a small number of UK users could view other users’ videos, but that this was due to a software error rather than a “malicious attack”. According to the BBC, Babylon has also notified regulators.
Babylon Health data breach impacts three patients
In a statement to the Guardian, Babylon Health said: “On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.”
“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.
“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly.
“Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”
Matt Hancock among Babylon Health customers
Babylon users include Secretary of State for Health and Social Care Matt Hancock, who during a talk as part of Virtual CogX, a festival of AI and breakthrough technology, Hancock said that he did not know about the data breach. However in comments accidentally broadcast following the talk, he said he should have known “especially since they’re my GP”, remarking that “they know more about my bunion than anybody”.
Niamh Muldoon, senior director of trust and security at OneLogin said that breaches such as this risk revealing “the most sensitive information”:
“While it seems Babylon did the right thing by notifying the public, regulators and fixing the issue, this kind of data breach still remains a serious cause for concern. By allowing members of the public’s GP sessions to become public, they potentially revealed among the most sensitive information available about an individual’s health, which could in turn be leveraged by further cybercriminals using the information for social engineering campaigns.
“Malicious attackers know that moving to digital with cloud technology platforms is still very new for many industries including healthcare. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRM. Organizations should recognize importance of security and privacy and partner with security platforms who can support them reducing risks and breaches like above. MFA is a strong control used to reduce risk of un-authorized access to data and systems this includes video conferencing.
Muldoon recommends users review their other accounts:
“I recommend taking the time to carry out a review of all your other online accounts and if any of your online accounts use the same credentials including password as your Babylon account — Multi factor authentication (MFA) is currently the best method by which organisations can protect themselves from such breaches, proven to prevent 99.9% of account takeovers. Whether it be a soft token, hard token, certificate or SMS, companies should look at implementing MFA across the board.”