Babylon showed users other patients’ video consultations

I’ve worked on medical apps where the security model was to use S3 storage buckets with URI-based folder names. Not good. My recommendation was to close the app down. Not popular. Don’t worry, it’s no longer holding patient data. It seems that’s not an isolated case…:

A privacy flaw in the Babylon Health GP app gave one user access to the recordings of dozens of other patients’ video consultations.

The data breach came to light after a user tipped off the BBC. Babylon claims the flaw affected only a small number of users, that only one accessed another’s recording and that it resolved the issue within two hours of becoming aware of it.

But the incident is likely to damage trust in a fledgling technology that has already rustled feathers in the medical community. Rory Glover, the patient who discovered the breach, was able to access about 50 recorded video sessions belonging to other users.

“You don’t expect to see anything like that when you’re using a trusted app,” he told the BBC. “It’s shocking to see such a monumental error has been made.”

[…]

Original article here