Patient video consultations leaked in medical data breach: Babylon Health

This story was originally published on Security Report.

In an a unfortunate incident, video consultants of some patients using the Babylon Health app were leaked to other users of the app. It couldn’t be a worse time for an incident like this to take place, given all the panic surrounding the COVID-19 crisis.

According to the company’s website, “Babylon’s mission is to put an accessible and affordable health service in the hands of every person on earth.” They make this possible by bringing doctors and patients together via their in-app video consultation sessions.

Image credit: Rory G (Twitter)

An app user Rory Glover tweeted: “Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!”

BBC reported, the London-based company has confirmed the breach:

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” said Babylon in statement. “Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”

On Wednesday, the firm further clarified that a total of three patients and not one patient had inadvertent access to the video sessions.

“This was the result of a software error rather than a malicious attack,” they said. “The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”

Naturally, medical data is regarded as highly personally identifiable information demanding stringent security across jurisdictions around the world. Luckily, the company reassured “affected users were in the UK only and this did not impact our international operations.”

The Information Commissioner’s Office (ICO) confirmed that they were notified by Babylon about the breach and is awaiting a report from the company, with findings related to the incident.

“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” said an ICO spokesperson. “When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”

Babylon told the BBC they have already been in touch with everyone involved to inform them, and to apologise.

Originally published at on June 11, 2020.




Security Researcher | Tech Columnist |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

엔터플, API 어뷰징 보안 프로토콜 관련 국제 특허 획득

Privacy: The New Security

OpenID Connect & OAuth

#225: Otaku Coin Staking Continuation Campaign! A Chance to Win Axie & Replica Otaku Coins

PolkaFoundry Update: Postponing IDO

The offensive ruling in defending cyber

Cybersecurity Course Giveaway

Founded in 2017, and with offices in the US, Asia and Russia, HashEx brings together a team of…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ax Sharma

Ax Sharma

Security Researcher | Tech Columnist |

More from Medium

Accountability Issues in Cloud Computing (5 Step Accountability Guide for Cloud Service Providers)

Introduction to SDN technology and challenges to its adoption within companies.

What is V2V? How to select the V2V migration tool?