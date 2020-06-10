Babylon Health has acknowledged that its GP video appointment app has suffered a data breach. The firm was alerted to the problem after one of its users discovered he had been given access to dozens of video recordings of other patients’ consultations. A follow-up check by Babylon revealed a small number of further UK users could also see others’ sessions. The firm said it had since fixed the issue and notified regulators. Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video call and, when appropriate, sends an electronic prescription to a nearby pharmacy. It has more than 2.3 million registered users in the UK.
Brian Higgins, Security Specialist, Comparitech.com
June 10, 2020
Babylon Health have clearly explained that this issue was caused by an internal software update.
The NHS operate their own App Store and any platforms offered by NHS services including GPS etc. are rigorously tested before they are certified for use. Babylon Health have clearly explained that this issue was caused by an internal software update and not by any malicious or criminal activity. They have also followed their ICO reporting responsibilities. In short, they appear to have done everything right. What this case highlights is that developing technology is fluid and what might be deemed safe and secure at the point of sale needs regular monitoring to ensure that it stays that way.
Jake Moore, Cybersecurity Specialist, ESET
June 10, 2020
In the wrong hands we could have seen a more malicious outcome, so luckily this was stopped.
Although Babylon Health state they take security issues seriously, it highlights once more how extra careful organisations have to be with private and confidential data. It doesn't get much more sensitive than this level of information, so extra protection must be provided to respect and protect their patients and their information. In the wrong hands we could have seen a more malicious outcome, so luckily this was stopped. What is worrying is how they came about the incident, stumbling upon it.
Niamh Muldoon, Senior Director of Trust and Security, EMEA, OneLogin
June 10, 2020
Organizations should recognize importance of security and privacy and partner with security platforms.
While it seems Babylon did the right thing by notifying the public, regulators and fixing the issue, this kind of data breach still remains a serious cause for concern. By allowing members of the public's GP sessions to become public, they potentially revealed among the most sensitive information available about an individual's health, which could in turn be leveraged by further cybercriminals using the information for social engineering campaigns. Malicious attackers know that moving to digital with cloud technology platforms is still very new for many industries including healthcare. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRM. Organizations should recognize importance of security and privacy and partner with security platforms who can support them reducing risks and breaches like above. MFA is a strong control used to reduce risk of un-authorized access to data and systems this includes video conferencing. I recommend taking the time to carry out a review of all your other online accounts and if any of your online accounts use the same credentials including password as your Babylon account -- Multi factor authentication (MFA) is currently the best method by which organisations can protect themselves from such breaches, proven to prevent 99.9% of account takeovers. Whether it be a soft token, hard token, certificate or SMS, companies should look at implementing MFA across the board.
