Babylon Health Data Breach Allowed Users To View Other Patients' Video Consultations

An anonymous reader quotes a report from the BBC: Babylon Health has acknowledged that its GP video appointment app has suffered a data breach. The firm was alerted to the problem after one of its users discovered he had been given access to dozens of video recordings of other patients' consultations. A follow-up check by Babylon revealed a small number of further UK users could also see others' sessions. The firm said it had since fixed the issue and notified regulators. Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video call and, when appropriate, sends an electronic prescription to a nearby pharmacy. It has more than 2.3 million registered users in the UK. "On the afternoon of Tuesday June 9 we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient's consultation recording," it said in statement. "Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients' consultations through a subsection of the user's profile within the Babylon app."

Where's the doc?

[AndyKron]

Telemedicine is all the rage with some people

It's the last time

[stephanruby]

Damn! It's the last time I show my hemorrhoids to my doctor.

"A small number of users"

[Anonymous Coward]

B.S. Babylon needs to fess up that they didn't just have Broken Access Controls, they neglected to implement them at all. i.e.: everybody could view everybody's video recordings just by tweaking a parameter in the document URL.

We as a society need to decide if this is OK

[FeelGood314]

Most companies have crap security. Even the big security companies I've worked at place security as the lowest priority. Everyone seems to be using agile development were they don't actually plan a finished product but put something together with 10 layers of frameworks and tweak it till they have something they like. Sure this is fast but it also means no one actually knows what the code is doing or all the features. The next time a web developer tells me it isn't a real security hole if I send a hand composed TCP stream back to his server I'm probably going to end up in jail for assault or murder.

So we need to decide if these security lapses are acceptable. People aren't misconfiguring databases to be public, half the time they didn't even know there was a database, it was abstracted by the framework they using. They were just blindly followed some steps on stack overflow until the web page worked. If we don't like the lapses we need to make the fines high enough to discourage this behaviour.

Other users aren't what I'm afraid of

[damn_registrars]

I'm more worried about insurance companies spying in on the discussion (yes I read the summary and saw that this was in the UK, but telemedicine is growing rapidly here on this side of the pond as well). Make no mistake about it, insurance companies in the US aren't on the patient's side; they are on the investor's side. If something came out during a telemedicine call that wasn't properly disclosed when signing up for insurance, you can count on the insurance company pouncing on that opportunity.

That

Re:

[damn_registrars]

If something came out during a telemedicine call that wasn't properly disclosed when signing up for insurance, you can count on the insurance company pouncing on that opportunity.

So are you really complaining that telemedicine makes it harder to commit insurance fraud?

Not even close.

I'm saying that insurance companies are constantly watching for ways to justify increasing rates or dropping customers. Some people mistakenly believe that insurance companies exist to provide access to health care; that is in fact the opposite of their reason for existing. Insurance companies exist to make money for their investors (even the ones that have managed to secure "nonprofit" status).

If you haven't yet been a victim of an insurance company trying exactly that against you,

Babylon = unscrupulous

[Anonymous Coward]

I am completely unsurprised by this. The CEO is a pompous and self-aggrandising shit who took over an NHS hospital in Cambs with bold promises about what he'd be able to do with it, and then handed the keys back when he and his pals at Circle made a complete hash of things. Babylon's approach to primary care is no less gross.

https://www.theguardian.com/so... [theguardian.com]