Software Glitch in Telehealth App Allowed Patients to View Videos of Other Patients’ Appointments

A UK-based chatbot and telehealth startup has suffered an embarrassing privacy breach this week. Babylon Health has developed a telehealth app that can be used by general practitioners for virtual appointments with patients. The app allows users to book appointments with their GP, use an AI-based chatbot for triage, and have voice and video calls with their doctor through the app.

On June 9, 2020, a patient used the app to check his prescription and found 50 videos of other patients’ appointments in the consultation replays section of the app. The files contained video replays of consultations between doctors and patients, exposing confidential and, potentially, extremely sensitive information.

The patient took to Twitter to announce the discovery, stating the “Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!”

According to a statement released by Babylon Health, the issue was due to a glitch in the software rather than a malicious attack. Babylon Health said it discovered the error shortly before the patient disclosed the breach on Twitter and said the issue was resolved within a couple of hours.

The investigation revealed three patients were able to access video footage of other patients, but in both of the other cases, the patients had not viewed any of the video replays. The error was only introduced in the UK version of the app and did not affect its international operations. The error was introduced when the app was updated to allow a patient to switch between audio and video while on a call with a physician.

Babylon Health has reported the breach to the UK Information Commissioner’s Office as required by the EU’s General Data Protection Regulation and will disclose full details about the data breach.

In this case the software error does not appeared to have exposed many patients’ consultations, but it is a cause for concern given the highly sensitive nature of health information disclosed through the app. There are currently around 2.3 million users of the app in the UK, so the breach could potentially have been far worse.

There has been a major expansion of telehealth services in the United States as a result of the COVID-19 pandemic. The HHS’ Centers for Medicare and Medicaid Services (CMS) expanded coverage for reimbursable telehealth services during the COVID-19 pandemic and the HHS’ Office for Civil Rights (OCR) issued a notice of enforcement discretion covering telehealth services, allowing healthcare providers to use communications solutions which may not be fully HIPAA compliant.

Given the increase in telehealth services, and the wide range of apps being used to provide telehealth services, this could well be just the first of several privacy breaches involving telehealth services this year.

While financial penalties may not be issued over privacy and security issues related to the good faith provision of telehealth services during the COVID_19 public health emergency, care should still be taken choosing a telehealth solution. Many video conferencing apps have not been developed with sufficient security protections to ensure patient information is properly protected, which places patient privacy at risk. As this incident shows, even purpose-built health apps are not immune to data leaks.

To ensure the privacy of patients is protected, all new technology should be subjected to a thorough security review. Now that the COVID-19 pandemic is under better control, now would be an ideal time to conduct a review of any telehealth applications and other software that has been introduced to ensure appropriate protections are in place to protect patient privacy.

It is also worth considering making the change from consumer-grade apps that have been rapidly deployed during the COVID-19 pandemic to support telehealth to a purpose built healthcare telehealth solution that is HIPAA compliant and incorporates comprehensive privacy and security controls. One such solution, TigerTouch, allows healthcare providers to easily communicate with all members of the care team and conduct telehealth visits with patients at home through the same app. The solution meets all HIPAA requirements, incorporates many safeguards to ensure patient data is protected, and the platform allows files, images, and ePHI to be shared quickly and securely.


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.