ipopba - stock.adobe.com

Virtual GP practice accidentally exposes patient video calls

A small number of users of Babylon’s GP at Hand service were briefly able to view other patients’ video GP consultations thanks to a bug in a new software feature

Babylon, the UK-based software firm behind the GP at Hand service, a mobile app offering virtual video appointments with GPs, has notified a minor data breach to regulators after users found they were able to view the consultations of other service users in the app.

Computer Weekly understands that Babylon became aware of the issue via one of its own clinicians approximately an hour before one of the affected users got in touch with it and had switched off video access to begin its own assessment within two hours.

The incident affected only a small number of patients using a new feature in the app where they had booked an audio-only appointment and then used an option to switch to video during the call. One of the affected users, who accessed the service through a Bupa health insurance plan, told the BBC he had spotted about 50 videos that did not belong to him made available in a part of the app that allows patients to replay their consultations

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” a Babylon spokesperson said.

“Our investigation showed that two other patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon App.

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.

“We proactively notified the Information Commissioner’s Office and will share all the necessary information around this. Affected users were in the UK only and this did not impact our international operations.”

Read more about data breaches

Babylon’s app, which has in the past received backing from health secretary Matt Hancock, was officially launched back in 2017 and gives registered patients access to a 24/7 virtual GP service and an AI-driven symptom checker.  More recently it has launched its own Covid-19 app.

The firm has attracted controversy before, with concerns being raised over the robustness and transparency of the underlying software. Others have branded the service exclusionary, saying it is mainly targeted at young, fit and healthy people and is poorly equipped to deal with more complex healthcare needs in older people and other marginalised groups.

It also requires that users de-register from their bricks and mortar GP practice, raising concerns over how frontline healthcare is funded. Nevertheless, it has become one of the largest GP practices in the UK in terms of patient numbers.

Egress CEO Tony Pepper said: “While it’s positive that they identified and resolved the issue within two hours, suppliers such as Babylon offering technology to support new ways of working must ensure data security is core to anything they're developing, this includes fully authenticating users before they access data and making sure data isn't deposited, replicated or transferred into portals or insecure areas where it can be subject to unauthorised access.”

Pepper added that this was becoming particularly important as so many organisations undergo wholesale digital transformation as social distancing measures make it impossible to sustain traditional working models

“This is particularly true for healthcare providers, who previously relied heavily on face-to-face interactions to treat all patients,” he said. “However, it's imperative that this digitalisation revolution has data security hardwired into it.”

Read more on Data breach incident management and recovery