Babylon Health, the virtual GP service used by a number of health insurance providers, has admitted it has suffered a data breach.
The breach was identified after a user, who was a Bupa member, found he could access other patients’ video consultations.
Babylon said a follow-up check revealed a small number of UK users could also see others’ sessions.
Babylon Health said it has now rectified this problem and notified the Information Commissioner’s office, which regulates data protection in the UK.
The Babylon Health app allows uses to speak to a doctor or other health specialist via a video call. Like other virtual GP services this also allows the GP to send an electronic prescription to a nearby pharmacy.
These services have been growing in popularity in recent years, and Babylon Health now has more than 2.3m registered users in the UK. Demand for these services is thought to have grown following the coronavirus pandemic, when many people have been unable to access traditional GP services and other primary healthcare.
A number of insurers have added virtual GP services to group risk and medical insurance policies as an additional free benefit.
A spokesman for Babylon Health said “On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.”
It added this was a result of a software error rather than a malicious attack.
It added: “The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”
Following the news of this breach the chief executive of the data security specialists Egress, Tony Pepper said: “The Covid-19 pandemic has compelled many organisations to undergo large-scale digital transformation as social distancing makes it impossible to sustain traditional ways of working.
“This is particularly true for healthcare providers, who previously relied heavily on face-to-face interactions to treat all patients. However, it’s imperative that this digitalisation revolution has data security hardwired into it.
“Whilst it’s positive that they identified and resolved the issue within two hours, vendors like Babylon offering technology to support new ways of working must ensure data security is core to anything they’re developing, this includes fully authenticating users before they access data and making sure data isn’t deposited, replicated or transferred into portals or insecure areas where it can be subject to unauthorised access.”
