Babylon Health has acknowledged that its GP video appointment app has suffered a data breach. The firm was alerted to the problem after one of its users discovered he had been given access to dozens of video recordings of other patients’ consultations. A follow-up check by Babylon revealed a small number of further UK users could also see others’ sessions. The firm said it had since fixed the issue and notified regulators. Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video call and, when appropriate, sends an electronic prescription to a nearby pharmacy. It has more than 2.3 million registered users in the UK.

Experts Comments

June 12, 2020
Ruston Miles
Chief Strategy Officer
Bluefin
Chatbots, just like websites, are a target for hackers that can be used to penetrate corporate systems and gain access to sensitive payment and personal information. AI and chatbots are often a more direct access point to corporate resources than webpages. As companies add more points of communication access, those become more points for hackers to leverage. Companies need to consider all communication and payment endpoints as potentially vulnerable to a cyber-attack, and protect those.....Read More
Chatbots, just like websites, are a target for hackers that can be used to penetrate corporate systems and gain access to sensitive payment and personal information. AI and chatbots are often a more direct access point to corporate resources than webpages. As companies add more points of communication access, those become more points for hackers to leverage. Companies need to consider all communication and payment endpoints as potentially vulnerable to a cyber-attack, and protect those endpoints accordingly.  Read Less
June 12, 2020
Kelvin Murray
Senior Threat Research Analyst
Webroot
Anyone who develops an app that handles sensitive customer data should ask themselves two important questions – is it secure and is it really necessary? We’re seeing that breaches such as these are all too common and anyone looking to save time and money by moving to a digital system should take risks such as these into consideration. Companies who hold private information should also ensure they have clearly defined security policies and procedures to avoid the leak of information. This.....Read More
Anyone who develops an app that handles sensitive customer data should ask themselves two important questions – is it secure and is it really necessary? We’re seeing that breaches such as these are all too common and anyone looking to save time and money by moving to a digital system should take risks such as these into consideration. Companies who hold private information should also ensure they have clearly defined security policies and procedures to avoid the leak of information. This starts with employee education, which underscores all effective cybersecurity and data protection strategies and comprehensive best practice guides are critical to protecting information, especially when holding sensitive data on customers. This is especially important in the healthcare industry which is at particular risk of cyber-attacks and data breaches, as information such as health records is very valuable to criminals. It will always command high prices on the darkweb as it can be used for criminal activities such as fraud, extortion and in the drug trade.  Read Less
June 12, 2020
Rufus Grig
Chief Strategy Officer
Maintel
All organisations are under pressure to make sure data is kept secure, none more so than those operating in the healthcare sector. Companies like Babylon Health are responsible for managing and securing highly sensitive data. Often the focus is on creating a secure environment that defends against would-be cyber attackers, as criminals see the sensitive data held as a potential treasure trove. But organisations must also ensure that the data it collates is managed correctly and access to it is.....Read More
All organisations are under pressure to make sure data is kept secure, none more so than those operating in the healthcare sector. Companies like Babylon Health are responsible for managing and securing highly sensitive data. Often the focus is on creating a secure environment that defends against would-be cyber attackers, as criminals see the sensitive data held as a potential treasure trove. But organisations must also ensure that the data it collates is managed correctly and access to it is strictly controlled. Failure to manage this access correctly leads to highly sensitive data breaches that could be, and should be, avoided.  Read Less
June 11, 2020
Aman Johal
Lawyer and Director
Your Lawyers
It’s extremely alarming to hear that a user of the Babylon Health app has been able to access dozens of confidential video recordings of other patients' consultations. With more than 2.3 million registered users in the UK, we are concerned that many more may have been affected with extremely private information leaked. We urge others to follow this lead and come forward, as we know from experience in helping others just how bad this kind of data breach can be. Those affected could be.....Read More
It’s extremely alarming to hear that a user of the Babylon Health app has been able to access dozens of confidential video recordings of other patients' consultations. With more than 2.3 million registered users in the UK, we are concerned that many more may have been affected with extremely private information leaked. We urge others to follow this lead and come forward, as we know from experience in helping others just how bad this kind of data breach can be. Those affected could be eligible to receive significant compensation for Babylon Health’s negligence which could result in potentially damaging emotional harm for patients. With doctors difficult to access due to coronavirus restrictions, many are relying on technological solutions like Babylon Health. Data breaches like this show that there is still much more that needs to be done to ensure we can trust in the use of such technology. Healthcare organisations can be particularly vulnerable to data breaches due to the wealth of highly sensitive information they hold, and firms operating in this sector must go the extra mile to ensure data is protected, or face the consequences.  Read Less
June 10, 2020
Joseph Carson
Thycotic
Chief Security Scientist
While the risk was limited, it is a scary thought that sensitive patient data via video consultations could be accidently disclosed. This is a reminder of how important the principle of least privilege is along with strong access controls that reduce accidental data disclosures. This has become an all too common occurrence, as highlighted in the recent 2020 Verizon Data Breach Investigations Report which revealed that human error and misconfigurations are on the rise and contributing to many .....Read More
While the risk was limited, it is a scary thought that sensitive patient data via video consultations could be accidently disclosed. This is a reminder of how important the principle of least privilege is along with strong access controls that reduce accidental data disclosures. This has become an all too common occurrence, as highlighted in the recent 2020 Verizon Data Breach Investigations Report which revealed that human error and misconfigurations are on the rise and contributing to many data breaches.  Read Less
June 10, 2020
Brian Higgins
Security Specialist
Comparitech.com
The NHS operate their own App Store and any platforms offered by NHS services including GPS etc. are rigorously tested before they are certified for use. Babylon Health have clearly explained that this issue was caused by an internal software update and not by any malicious or criminal activity. They have also followed their ICO reporting responsibilities. In short, they appear to have done everything right. What this case highlights is that developing technology is fluid and what might be.....Read More
The NHS operate their own App Store and any platforms offered by NHS services including GPS etc. are rigorously tested before they are certified for use. Babylon Health have clearly explained that this issue was caused by an internal software update and not by any malicious or criminal activity. They have also followed their ICO reporting responsibilities. In short, they appear to have done everything right. What this case highlights is that developing technology is fluid and what might be deemed safe and secure at the point of sale needs regular monitoring to ensure that it stays that way.  Read Less
June 10, 2020
Jake Moore
Cybersecurity Specialist
ESET
Although Babylon Health state they take security issues seriously, it highlights once more how extra careful organisations have to be with private and confidential data. It doesn’t get much more sensitive than this level of information, so extra protection must be provided to respect and protect their patients and their information. In the wrong hands we could have seen a more malicious outcome, so luckily this was stopped. What is worrying is how they came about the incident, stumbling .....Read More
Although Babylon Health state they take security issues seriously, it highlights once more how extra careful organisations have to be with private and confidential data. It doesn’t get much more sensitive than this level of information, so extra protection must be provided to respect and protect their patients and their information. In the wrong hands we could have seen a more malicious outcome, so luckily this was stopped. What is worrying is how they came about the incident, stumbling upon it.  Read Less
June 10, 2020
Niamh Muldoon
Senior Director of Trust and Security, EMEA
OneLogin
While it seems Babylon did the right thing by notifying the public, regulators and fixing the issue, this kind of data breach still remains a serious cause for concern. By allowing members of the public’s GP sessions to become public, they potentially revealed among the most sensitive information available about an individual’s health, which could in turn be leveraged by further cybercriminals using the information for social engineering campaigns. Malicious attackers know that moving to.....Read More
While it seems Babylon did the right thing by notifying the public, regulators and fixing the issue, this kind of data breach still remains a serious cause for concern. By allowing members of the public’s GP sessions to become public, they potentially revealed among the most sensitive information available about an individual’s health, which could in turn be leveraged by further cybercriminals using the information for social engineering campaigns. Malicious attackers know that moving to digital with cloud technology platforms is still very new for many industries including healthcare. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRM. Organizations should recognize importance of security and privacy and partner with security platforms who can support them reducing risks and breaches like above. MFA is a strong control used to reduce risk of un-authorized access to data and systems this includes video conferencing. I recommend taking the time to carry out a review of all your other online accounts and if any of your online accounts use the same credentials including password as your Babylon account -- Multi factor authentication (MFA) is currently the best method by which organisations can protect themselves from such breaches, proven to prevent 99.9% of account takeovers. Whether it be a soft token, hard token, certificate or SMS, companies should look at implementing MFA across the board.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.