Babylon admits ‘software error’ led to data breach of GP at Hand

  • 10 June 2020
Babylon admits ‘software error’ led to data breach of GP at Hand
Babylon Healthcare Service Ltd

Babylon Health has admitted its GP app suffered a data breach after a user was able to access video recordings of other patients’ consultations.

The company confirmed that three patients were able to view recordings of other patient’s consultations using the GP at Hand app.

It said the issue was caused by a software error and had since been fixed, adding regulators had been notified.

Rory Glover said he was able to access more than 50 video recordings when he signed on to GP at Hand, Babylon’s digital primary care app.

Flagging his concern on Twitter, Glover said he had reported the “massive data breach” to the Information Commissioners Office (ICO).

A spokesperson for Babylon said the issue was caused by a new feature allowing users to switch from audio-only to video consultations.

“On the afternoon of Tuesday, 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” they said.

“Our investigation showed that two other patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon App.

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly.”

The company’s data protection officer also alerted the ICO.

“Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required,” the spokesperson added.

“We proactively notified the Information Commissioner’s Office and will share all the necessary information around this. Affected users were in the UK only and this did not impact our international operations.”

A spokesperson for the ICO said it had provided Babylon with advice following the breach.

“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” a spokesperson said.

“When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.

“It is an organisation’s responsibility to fully assess a breach and then judge whether or not they need to report it the ICO. Where possible, this should be done within 72 hours.”

Organisations who deem their breach doesn’t need to be reported are required to keep their own record.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Digital Health 2023 Year in Review

Digital Health 2023 Year in Review

Digital Health's editor-in-chief Jon Hoeksma looks back at the key trends and big stories over the past 12 months.
Somerset NHS FT contacts patients about data breach

Somerset NHS FT contacts patients about data breach

Patients at Musgrove Park Hospital are being contacted by Somerset NHS Foundation Trust after it was revealed a staff member inappropriately accessed data.
Babylon files for liquidation in US Bankruptcy Court

Babylon files for liquidation in US Bankruptcy Court

Babylon Health has filed for bankruptcy for two US subsidiaries, Forbes has reported, citing filings in the US Bankruptcy Court in Delaware.

1 Comments

  • I dread to think of what that fine was!
    Cowboys.

Comments are closed.