Gorodenkoff - stock.adobe.com

Breach of Telehealth App Babylon Health Raises Privacy Concerns

While Babylon Health is UK-based, its recent breach that allowed patients to view appointments of other patients raises a host of privacy concerns in light of telehealth expansion in the US.

UK-Based telehealth app Babylon Health recently experienced a breach of its general practitioner platform, where users were able to access videos from other patients’ appointments, first reported by the BBC.

On June 9, a patient announced on Twitter that he was able to view videos from about 50 other patient appointments. Babylon Health later issued a statement that confirmed that just three of its patients were able to access other patient appointments due to a “software error” and not a malicious attack.

Babylon Health’s investigation found the breach was limited to those few patients that “were incorrectly presented with…recordings of other patients’ consultations through a subsection of the user’s profile within the app but had not viewed them.” The company has since notified regulators.

The issue was inadvertently introduced through a new feature on the Babylon platform, allowing users to switch from audio to video communication during the call with their provider. The vendor was reportedly notified of the issue just before the patient announced the breach on Twitter. The affected users were only based in the UK.

"Of course, we take any security issue, however small, very seriously and have contacted the patients affected to update, apologize to and support where required,” a Babylon Health spokesperson said in a statement to BBC.

"We identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient's consultation recording," they added. "Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients' consultations through a subsection of the user's profile within the Babylon app."

Given the rapid expansion of telehealth use in the US in response to the COVID-19 pandemic, the breach raises several privacy alarms.

To James Carder, chief security office of LogRhythm Labs, the breach demonstrates how a lapse in security can compromise patient care, safety, and trust, as well as sensitive clinical information.

“Emerging health tech startups must ensure that data protection is of the utmost priority, especially when sensitive patient data is collected, recorded and stored,” Carder said in an emailed statement. “The healthcare sector’s access to vast, valuable data types are a key target for various intelligent threat actors.”

“Unfortunately, Babylon Health made a software error that allowed others to access intimate conversations and information on patients’ health,” he added. “Of note, Babylon Health has yet to disclose exactly what this software error was. The breach could have been due to a lack of segregation between patients, the improper use of a shared repository, or a basic web application security flaw allowing users to access each other’s data.”

In light of the pandemic, these technologies, like chat bots and other diverse tools, are crucial to patient care. But Carder stressed that without more information as to how and why just three users were able to access the recording, it will be difficult to truly understand the extent of the breach.

Protecting data has become much more complex, which means it’s critical that health tech companies leverage full visibility into the infrastructure of their software and source code to ensure “lapses in security can rapidly be detected before patient care is at risk,” Carder explained.

“Even though Babylon Health stated that a user found the exposed vulnerability, it is highly likely that cybercriminals, who are scouring the internet for vulnerable web applications to exploit and steal information, have already noticed and taken advantage,” he added.

“Any breach of health-related data will cause much distress, particularly as videos of their private medical consultations have been made available to others,” Toni Vitale, partner and Head of Data Protection at JMW Solicitors LLP, said in a statement. “The UK Information Commissioner’s Office has the power to fine Babylon Health up to 4 percent of its worldwide annual turnover and the affected patients may each be entitled to claim compensation from Babylon Health.”

Security researchers have recently warned that rapidly deployed technologies may be placing the overall healthcare infrastructure at risk of attack. Healthcare organizations must ensure they have complete visibility and control over these new technologies, especially given the rise in COVID-19-related attacks. If not, these newly introduced technologies will pose a greater problem for these entities down the line.

Next Steps

Dig Deeper on Health data threats