U.K. telehealth company Babylon Healthcare Services Ltd. has suffered a data breach, allowing users to view video consultations of others.

The data breach was first discovered by a user who said on Twitter Tuesday that he had access to more than 50 video recordings belonging to other patients via the Babylon Health app. The company has since admitted the data breach but claimed only a small number of users could see other user sessions.

Babylon Heath went on to say that the exposure was the result of a “software error” related to a feature that lets users switch from audio to video-based consultations partway through a call. The software error has since been fixed.

“We take any security issue, however small, very seriously and have contacted the patients affected to update, apologize to and support where required,” the company said in a statement. “Affected users were in the U.K. only and this did not impact our international operations.”

The data breach comes amid surging demand for telehealth services during the COVID-19 pandemic, which has hit the U.K. particularly hard. The U.K. also has strict privacy rules about data, with medical data given top priority for protection.

Babylon Health was founded in 2013 and has raised $635.5 million to date, its last round on a $2 billion valuation.

“While getting telehealth applications up and running effectively with little to no downtime is a priority, security cannot be left behind in the rush, especially with sensitive and personal healthcare data on the line,” Mark Rogan, dynamic application security testing manager, vulnerability verification, Europe at application security provider WhiteHat Security Inc., told SiliconANGLE. “The stakes are high. Healthcare data is among the most valuable and personally important private information shared between organizations in any area of society.”

The biggest concern for telehealth is the security of applications, he said. “Proactive protection offers the best foundation for cybersecurity across the telehealth industry,” he said. “It depends on a range of processes, beginning with risk assessments to identify which applications present the weakest links.”

James Carder, chief security officer and vice president of LogRhythm Labs, said emerging health tech startups must ensure that data protection is top priority, especially when sensitive patient data is collected, recorded and stored.

“The healthcare sector’s access to vast, valuable data types are a key target for various intelligent threat actors,” Carder explained. “This data breach showcases how a basic lapse in security can compromise patient care, patient safety and trust, and sensitive clinical data.”

It’s significant that Babylon Health has yet to disclose exactly what the software error was, he added. “The breach could have been due to a lack of segregation between patients, the improper use of a shared repository, or a basic web application security flaw allowing users to access each other’s data,” he said.

Image: Babylon Health