A user of a popular health app was inadvertently able to access dozens of video recordings of other patients' consultations, which has been blamed on a 'software error'

The Babylon Health data breach, which allowed users of the GP remote consultation service to access videos of other patients' appointments with their doctor, will be remembered for a long time. With Covid-19 driving a more remote way of patients engaging with medics, news of the breach sent a chill down many a spine.

The issue first came to light on 9 June when a user announced on Twitter that he had been able to view about 50 videos of other patients' appointments. A follow-up check by the firm revealed that other UK users could also see others' sessions.

The company’s own investigations had shown that "three patients, who had booked and had appointments, were incorrectly presented with…recordings of other patients' consultations through a subsection of the user's profile within the app, but had not viewed them". Babylon Health also confirmed that it had resolved what was a 'software error', rather than a malicious attack, and had notified regulators.

Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video call and, when applicable, sends an electronic prescription to a nearby pharmacy. It has more than two million registered users in the UK.

Aman Johal, director and lawyer of YourLawyers, says that since the coronavirus outbreak, there has been a huge increase in demand for digital healthcare services. "In 2019, just 1% of NHS appointments took place over video conference. In March this year, requests for video consultations on the healthcare app myGP skyrocketed by 1,451%.

With more patients than ever registering with digital healthcare providers, it's extremely alarming to hear that a user of the Babylon Health app was able to access dozens of confidential video recordings of other patients' consultations.

More than 2.3 million registered users across the UK have trusted Babylon with their confidential health data. The exposure of private video consultations to third-party users is not only a failure of doctor-patient confidentiality, but also a serious breach of the GDPR. This revelation may shatter consumer trust in digital healthcare," Johal warns.

Cybersecurity firm Carbon Black estimates that personal health information is three times more valuable to hackers than other identifying information, adds Johal. "This makes services like Babylon Health lucrative targets for hackers and are commonly attacked: a report released by Clearswift earlier this year revealed that in 2019 almost two-thirds of healthcare services suffered a cyber-security incident. Despite the potential penalties imposed by the ICO in the post-GDPR era, lessons have clearly not been learned."

Athough Babylon blamed the breach on a software error, rather than a malicious attack, Johal still points to serious shortcomings. "Software glitches differ from the targeted cyberattacks we are used to seeing in the media, but the fact this error originated from within the company itself does not make it any less harmful. All organisations must ensure they employ systems and procedures to identify and prevent potential vulnerabilities being exposed, including staff training."

"These past few months have been unprecedented in lots of ways, with many new working practices thrust upon businesses that were generally unprepared to such sudden changes," says Steve Jackson, sales director at Clinical DPO, one of the largest outsource data protection officer suppliers in the healthcare sector. "With a very challenging economic environment ahead of us, many are saying this is the litmus test for data protection."

Will it be viewed as too difficult and too restrictive in the fluid new normal business environment, does he think? "Not necessarily. With many businesses now capturing clinical data about their staff and their customers, in order to protect both from COVID-19, CDPO has received many calls from clients now seeing the importance of data usage in a first-hand way and, with that, a new appreciation to the risk to data posed by many of these new working practices."

So, why has it taken such a dramatic event to have organisations reassess their own attitude to data and to their own risk regarding potential brand and financial exposure?

"The answer lies in a cursory review of the two years plus since the introduction of GDPR," states Jackson. "This new legislation brought a wave of products encouraging businesses to buy a flat-packed tick-box data protection compliance solution and today we are still told by organisations that they have 'completed their GDPR', not appreciating that GDPR is not a one-time project, but, much like financial accounting requirements or HR, data protection must be integrated into the organisation, so it becomes part of the company DNA and embedded into 'business as usual'."

How exactly can this be achieved? "GDPR introduced a mandated approach to the appointment of a DPO for organisations processing large-scale health data," according to Jackson. "A glance at the ICO's public register, however, indicates that many organisations both large and small are still to appoint a DPO. The single greatest reason that we see for this lack of appetite for change is a lack of time that business allocates to effect this change."

Many data protection issues are not simply data problems, he adds - they often arise from an organisation's governance and culture, as well as operational decision-making, "whether it be understanding the need, implementing the correct resource or service, or, as we have seen on many occasions as an outsourced DPO service, taking the time to implement the processes and support being provided by the DPO".

There are no silver bullet solutions, Jackson concludes. "However, embedding data protection by design is better in the long run, but a business must engage to effect this change. Until this is accepted and understood, data protection will only remain on the periphery of a business."

The root cause of the Babylon Health breach has never been fully disclosed, but may be attributed to inadequate testing of the new feature before moving it into a production environment, suggests Rob Treacey, MD; co-head of Xcina Consulting and Shearwater Group DPO. "Although it seems that Babylon Health has tried to downplay the significance of the exposure and remediated it in a timely manner, such breaches can have an adverse impact on an organisation."

It remains to be seen whether Babylon Health will experience any longer-lasting reputational damage or if it will be able to fully recover from such a breach, he adds. "However, one thing is for certain: users will be more cautious about using the App in future or may simply refuse to use it altogether, especially if they have an alternative."

As Treacey points out, end users need to have absolute confidence and complete trust in an organisation's ability to safeguard their personal data, especially where that involves sensitive personal data.

"As a risk management consultancy that performs regular reviews and audits of our clients, we see such process and control weaknesses within the software development lifecycle as not uncommon." These are normally the result of:

= Failure to adequately test and sign off software updates or upgrades before release into a production environment = Lack of oversight by organisations that outsource their software development to third parties = Lack of awareness by developers and testers around the latest software security risks and vulnerabilities, such as injection, security misconfigurations, sensitive data exposure and authentication = ssoftware design or architecture that is inadequate = Cutting corners, due to the pressure to release software updates or upgrades against tight deadlines.

"Any organisation that experiences a data breach, due to a software weakness or any related software processes and controls," he says, "is merely putting itself in the shop window for a future cyber-attack, not to mention any subsequent fine from a supervisory authority. Some organisations may be able to minimise their reputation damage or loss of users, but others may be less fortunate".

"Anyone who develops an app that handles sensitive customer data should ask themselves two important questions - is it secure and is it really necessary?" advises Kelvin Murray, senior threat researcher at Webroot. "We're seeing that breaches such as these are all too common and anyone looking to save time and money by moving to a digital system should take risks such as these into consideration.

"Companies that hold private information should also ensure they have clearly defined security policies and procedures to avoid the leak of information. This starts with employee education, which underscores all effective cybersecurity and data protection strategies and comprehensive best practice guides are critical to protecting information, especially when holding sensitive data on customers.

"This is especially important in the healthcare industry, which is at particular risk of cyber-attacks and data breaches, as information such as health records is very valuable to criminals. It will always command high prices on the dark web, as it can be used for criminal activities such as fraud, extortion and in the drug trade."

And the outcome of the breach at Babylon Health? It will face "no further action", the ICO) has since confirmed.

"When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects,” a spokesperson said. “Babylon Health reported an incident to us. After looking at the details, we provided Babylon with detailed advice and concluded no further action was necessary."

The ICO had the power to fine Babylon Health up to 4% of its worldwide annual turnover, while the affected patients might yet be entitled to claim compensation.

Concerns that digital tracing systems for COVID-19 could become 'back doors' to mass surveillance have already mounted, with academics from 26 countries issuing a warning that contact-tracing apps could hamper trust. Confirming you have been infected with coronavirus requires personal data to be submitted, recorded, exchanged and stored, with some apps, like the UK government's NHSX, indicating that it may be stored and used for future research purposes.

But with backing as part of the European Open Science Cloud (EOSC) - a far-reaching initiative that is changing the way in which European research is conducted, with researchers quickly developing instant diagnoses for major diseases and tackling climate change - a small research team has been able to respond rapidly to the pandemic and develop a contact-tracing app in the space of a few months.

This app - called Tracing Ireland's Population (TIP) - gives users ownership of their data, places them in full control of any track and tracing (rather than an automated program collecting and storing your information to be used at a later date), and hosts all information in encrypted form.

"Alexa will invade your privacy more than our app does," claims co-creator Dr Paul Byrnes. "Like many contact-tracing systems hoping to end blanket lockdowns by providing an accurate, targeted picture of infections, our new facility looks set to enable smaller, localised restrictions.

"The success of any contact-tracing app depends on whether people will engage with it and, if they don't trust it, they won't use it," comments Byrnes. "It's that simple. Once the pandemic is over, all data will be erased."