Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Babylon Health App Leaked Patients’ Video Consultations
  • Cyber Attacks
  • Data Breach

Babylon Health App Leaked Patients’ Video Consultations

6 years ago Graham Cluley
Babylon Health App Leaked Patients’ Video Consultations

Babylon Health, makers of a smartphone app that allows Brits to have consultations with NHS doctors, has admitted that a “software error” resulted in some users being able to access other patients’ private video chats with GPs.

The data breach came to light after one user, Rory Glover, tweeted that he was shocked to find the app’s “GP at Hand” functionality had given him unauthorised access to “over 50 video recordings”:

“Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!”

Glover attached a screenshot, showing that it was possible to replay the medical consultations on his Android smartphone:

In a statement given to The Guardian, Babylon Health confirmed the breach, and said that only three patients booking appointments had been presented with other patients’ video recordings:

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording.”

“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”

“This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required.”

A Babylon Health spokesperson separately claimed that the firm’s software engineering department was already aware of the issue before it was made aware of Glover’s discovery.

As the underlying problem was a software problem I did wonder how only three patients were given access to other patients’ video consultations via the app, or whether there was a particular sequence of conditions that had to be present for a user to gain access to the sensitive recordings.

No more details have been shared by Babylon Health about the nature of the software bug, other than to say that it has now been fixed, and that it was related to a newly-introduced featured that allowed users to switch from audio-only calls with a GP to video-based consultations part way through a call.

To make mistakes is human, and software developers are (mostly) human… so it’s not a surprise to hear that a complex app like this might have bugs. However, it underlines the importance of proper quality control and testing before an app – especially one like this which is used for communicating personal and sensitive medical information – is rolled out to the public.

The UK’s data regulator, the Information Commissioner’s Office (ICO), confirmed that it had been contacted about the incident, and underlined the importance of properly securing the public’s private medical information:

“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law. When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”

And I think that’s a very important point to make. Although the number of people affected by this particular data breach appears to have fortunately been small, health data has been given “special category” status, meaning that the highest levels of data protection should be in place.

And, as an incentive for any companies who might need convincing of the importance of properly securing medical data, very large financial penalties can be meted out by regulators if they determine an organisation was careless or did not take the threat seriously enough.

For his part, Glover said he would not be trusting the Bablyon Health app again, telling The Guardian:

“It’s an issue of doctor-patient confidentiality. You expect anything you say to be private, not for it to be shared with a stranger.”

Babylon Health, whose GP at Hand app has been the subject of some controversy in the past, intends to expand into the United States and Asia.

The post ” Babylon Health App Leaked Patients’ Video Consultations” appeared first on TripWire

Source:TripWire – Graham Cluley

Tags: Android, Bug, Encryption, TripWire

Continue Reading

Previous Trickbot Using Fake Black Lives Matter Voting Campaign for Distribution
Next Podcast: Would You Use A Contact-Tracing Coronavirus App?

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Ex-Google Engineer Convicted for Stealing 2,000 AI Trade Secrets for China Startup

2 days ago [email protected] (The Hacker News)

Recent Posts

  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms
  • Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access
  • China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT