Babylon Health: GP patients' private videos shared with other users in data breach

Babylon Health has been responsible for providing users with buggy software that shared recordings made by other patients.

It was discovered that its video GP consultation feature could be accessed by other patients.

Babylon Health allows users to speak to health specialists via a smartphone app and can send an electronic prescription to nearby pharmacies.

In the UK it has 2.3 million users. No international users were affected.

The issue was revealed by a user on Twitter, with the company saying that the issue was a software error rather than a “malicious attack”.

Rory Glover discovered that he had approximately 50 videos in his Consultation Replays section of the app, he told the BBC.

He had access to Babylon Health via his private health insurance Bupa membership,

These videos were not made by him. Clicking on one showed a file uploaded by another person.

“I was shocked,” Glover said. “You don't expect to see anything like that when you're using a trusted app. It's shocking to see such a monumental error has been made.”

Glover said he did not intend to use the service again because of the “issue of doctor-patient confidentiality.”

In a statement, Babylon Health said: “On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.”

“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly.”

“Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”

The company said that it has reported the issue to the Information Commissioner's Office, and informed users who have been affected to apologise.

“People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,“ a spokesperson for the ICO said.

”When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.“

Services provided by Babylon Health have previously been described as “revolutionary” by health secretary Matt Hancock despite criticisms from NHS England that the service was allowed to launch in Birmingham without proper independent evaluations.

In 2018, it was also revealed that the health secretary had endorsed the private healthcare company in a sponsored newspaper piece.

Labour accused the minister of breaking ministerial code which states ministers should not:“normally accept invitations to act as patrons of, or otherwise offer support to, pressure groups or organisations dependent in whole or in part on government funding.”