Babylon Health app error allowed U.K. users to watch videos of other patients' private doctor visits
Version of the telemedicine app used in B.C., Alberta, where it's under investigation by privacy commissioner
A virtual medicine app under investigation by Alberta's privacy commissioner allowed some users in the United Kingdom to view video recordings of other patients' visits with their doctor.
But the Alberta government says the version of the app used in the province is different, and it doesn't believe Canadian personal information is at risk.
Babylon Health knows of three users in the U.K. who could access the personal information of other patients in the U.K., a company spokesperson said in a statement. The breach did not affect international users, the company said, and was caused by a software error.
The company realized on Tuesday afternoon that a patient could see other patients' recordings of a consultation with their doctor, the spokesperson said.
Babylon didn't say which patient had noticed the breach, but one user of the app tweeted Tuesday that he was able to view at least 50 other patients private consultations.
He provided a screenshot showing the list of videos.
Under investigation in Canada
In Canada, Babylon partnered with Telus to offer video consultations through its app to patients in Alberta and B.C.
A spokesperson for Alberta Health said the government is not aware of any similar issues in Canada. The U.K. Babylon Health app is different than the app used in Alberta and created for the Telus and Babylon partnership, the spokesperson said.
"We do not believe there is any similar risk in Alberta. We will be contacting Telus to confirm that this is accurate and that all appropriate steps continue to be taken to protect the privacy of Albertans," an emailed statement from Alberta Health read. "Patient confidentiality is our top priority."
A Telus spokesperson confirmed the Canadian version of the app and its users were not affected.
"Protecting patient data continues to be the cornerstone of our health-care business," an emailed statement from Telus read.
The Alberta government endorsed the Babylon app by promoting it in a news release in March, but the product garnered criticism over its privacy policy, which states the company may share personal information with corporate partners. The app also launched before the province's privacy commissioner could assess it.
Alberta's privacy commissioner has opened two investigations into the app.
Babylon Health said an investigation showed the app presented other users' personal medical information to two other patients with appointments Tuesday. However, the company said those two users did not access other patients' information. It said the issue was resolved within two hours.
"This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required," the spokesperson said.
"We proactively notified the [U.K.] Information Commissioner's Office and will share all the necessary information around this."
Larger leak possible, expert says
The leak may have affected more than the three users mentioned by Babylon, said Chester Wisniewski, principal research scientist at British data security firm Sophos
"It seems incredibly unlikely that it affected three people. It's three people that reported it to them," he said.
"Health-care privacy is always a really sensitive topic right because it's a really personal thing.
"Obviously it's never good news for your private conversation with your doctor to be available to somebody."
Wisniewski said it was only a matter of time before a data leak like this happened, as people flock to telemedicine apps during the COVID-19 pandemic.
"These medical app companies went from potentially tens of thousands of users three months ago to millions" Wisniewski said.
"The kind of growth that happens at a tech company to accommodate that massive expansion in the use of their services, mistakes are going to be made in companies far wealthier and far more technical than these companies."
He noted that video conferencing company Zoom also experienced privacy breaches following high-demand during the pandemic.
Bablyon users can't do much to protect their privacy, Wisniewski said, other than to choose which apps to use or decide against using telemedicine apps at all.
"I don't think consumers have much choice, sadly. At least for me, my physician chose what [app] they wanted to use. So it's really outside the hands of most people to choose. It's more of, am I comfortable using this at all?"