The Babylon mobile health app, whose business mission is to “provide an accessible and affordable health service to every person on earth,” has admitted a software bug that has gone a step further.
According to a BBC report, an app user in the UK had other people's health data in their hands.
The user, referred to by the BBC as Rory Glover from Leeds, England, appeared to be using the app to check their own prescription, and then found that the app's "Retry Consultation" function included a list of 50 videos for them to check.
As you can imagine, he looked at what the videos were about – a screenshot shared by the BBC shows that they were only identified as "Replay N", where N is a counter, so nothing to suggest that the Data belonged to someone else.
Clicking on one of them made the type of unexpected video clear: it was a recording of someone else’s video chat with a doctor that was created through the service.
Glover contacted someone he knew and formerly worked at Babylon, and that person did the right thing by alerting the company to the violation.
As far as we can tell, Babylon acted quickly to remove the rogue videos from Glover's "Replays" gallery and to report to the Information Commissioner's Office (ICO), the UK data protection and data protection authority.
Babylon does not yet seem to have a statement about what happened on its own blog or website (2020-06-10T11: 00Z), but it is generally reported that this was “more the result of a software bug than a malicious attack. ”
That may sound like cold comfort, but it means that we are not dealing with a situation where crooks have gotten away with a number of video files that they could sell or use in the future for cyber extortion.
The company also states that its research has shown that a total of only three users (one of whom was Mr. Glover) have been given links to videos of other patients and that the other two users have never been able to watch any of the videos that they weren't. shouldn't see.
We don't yet know how many different patient videos were on the lists, but Babylon has attributed the bug to a "new feature" where someone who speaks to a doctor through the app can switch to video mode while on the call.
We don't want to think too much about why a doctor might want to switch to video mode after discussing a patient's symptoms – or what squeamish sights might be filmed on such a call.
However, we are relieved to hear that this problem appears to have been resolved quickly enough so that only one video was viewed by the wrong person, so damage in the real world was very limited and contained quickly.
We are also relieved because the person who watched the wrong video decided to do something positive by reporting the problem, and because the person who reported it was apparently able to do so quickly and effectively Contact Babylon.
(We are aware that the reporter previously worked for Babylon, which may have made it easier to find the right person to speak to, but we also find that Babylon’s bug reporting pages are fairly easy to find if you click on the link "Regulatory" home.)
The big question, however, is how this data leak error was caused by software testing and what Babylon will do to prevent this type of error from going into the wild in the future since the data disclosed is extremely personal.
What should I do?
If you are a Babylon app userThere doesn't seem to be anything you need to do. As far as we can tell, the problem was caused by an error on the server side, so that the problem can be fixed centrally without an app update.
If you are a developer of mobile appsDon't rely on the coding mantra from the early days of cloud development that said, "Move fast and break things." That was not a good mantra for anyone; has never been appropriate in areas such as healthcare; and has been set aside for a long time. Security should never be an add-on component that you intervene later when you think your new software features are complete. (Without built-in security, they can never be complete.)
If you are a service providerMake sure there is a clear process that your users can follow to report software bugs or privacy issues. If you can, consider a bug bounty system that incentivizes professional bug hunters to search for and report potential problems in your product in a responsible manner.