Babylon Health suffered a data breach where users of the GP remote consultation service were able to access videos of other patients’ appointments with their doctor. The issue came to light on 9 June 2020, when a user announced on Twitter that he was able to access about 50 videos of other patients’ appointments. Babylon Health has since issued a statement confirming that they had resolved the ‘software error’ rather than a malicious attack. The company later confirmed that their investigation showed, “three patients, who had booked and had appointments, were incorrectly presented with recordings of other patients’ consultations through a subsection of the user’s profile within the app but had not viewed them.
As they are legally required to do, Babylon Health reported the data breach to the Information Commissioner’s Office within 72 hours. Although the app has over 2.3 million users in the UK, it appears that only a handful were affected. This may have a bearing on the level of fine imposed by the ICO which can take into account the number of people affected. The ICO will also consider how swiftly Babylon Health reacted, fixing the error and communicating with patients. However, any breach of health-related data will cause much distress, particularly as videos of their private medical consultations have been made available to others. The ICO has the power to fine Babylon Health up to 4% of its worldwide annual turnover and the affected patients may each be entitled to claim compensation from Babylon Health. Given the sensitivity of the breach this could be many thousands rather than hundreds of pounds.