Software Glitch in Telehealth App Enabled Patients to View Videos of Other Patients’ Appointments

A chatbot and telehealth startup based in the UK has experienced a humiliating privacy breach this week. Babylon Health created a telehealth app that general practitioners may use for virtual sessions with patients. The app enables users to schedule appointments with their doctor, utilize an AI-based chatbot for triage, and make voice and video conferences with their physician using the app.

On June 9, 2020, a patient using the app to check his prescription discovered the videos of 50 patients’ appointment sessions in the replays section of the app. The files consist of video replays of appointments between physicians and patients, exposing confidential and, potentially, highly sensitive information.

The patient announced the discovery on Twitter. Having access to video consultations of patients in the app is a huge data breach with over 50 video recordings.

Babylon Health released a statement saying that the issue was caused by a glitch in the software program instead of a malicious attack. Babylon Health stated that it became aware of the error before the patient’s disclosure of the breach on Twitter and said that the glitch was resolved within a few hours.

According to the investigation, three patients had accessed the video of other patients, however, in both of the other cases, the patients did not view any of the videos. The error only happened in the UK version of the app and didn’t affect its worldwide operations. The problem was introduced during the update of the app to allow switching between audio and video when a patient is on a call with a physician.

Babylon Health already submitted a report of the breach to the UK Information Commissioner’s Office as demanded by the EU’s General Data Protection Regulation and will post full details regarding the data breach.

In this instance, the software issue does not seem to have exposed many patients’ videos, but it causes concern given the highly sensitive health information exposed through the app. There are now about 2.3 million app users in the UK, so the breach could potentially grow much worse.

Telehealth services had a major expansion in the United States because of the COVID-19 pandemic. The HHS’ Centers for Medicare and Medicaid Services (CMS) extended coverage for reimbursable telehealth services during this time of COVID-19 pandemic and the HHS’ Office for Civil Rights (OCR) released a notice of enforcement discretion with regards to telehealth services, permitting healthcare providers to utilize communications solutions which may not be HIPAA compliant.

Given the rise in telehealth services and the broad range of apps being employed to provide telehealth services, this may be just the first of other privacy breaches concerning telehealth services this year.

Though no financial penalties may be issued due to privacy and security problems associated with the good faith provision of telehealth services during the COVID_19 public health emergency, care needs to still be exercised when selecting a telehealth solution. Plenty of video conferencing applications were not developed with enough security protections to ensure patient data is properly protected, which places patient privacy in danger. As this case shows, data leaks can happen even with purpose-built health apps.

To make sure to protect patient privacy, all new technology should go through a security review. Now that the COVID-19 pandemic is more controlled, it is the right time to do a review of any telehealth applications and other software programs that were introduced to make sure there are adequate protections of patient privacy.

It is likewise worth taking note of the recommendation to use a HIPAA-compliant healthcare telehealth solution that employs comprehensive data privacy and security controls. TigerTouch is a company offering telehealth services that allow healthcare providers to conveniently communicate with care team members and perform telehealth visits with patients at home by means of the same app. The solution satisfies all HIPAA requirements, employs many security measures to make sure patient data is secure, and the platform allows the sharing of files, images, and ePHI quickly and safely. Watch an on-demand webinar here to find out more about the app.