The founders of medical symptom-checker app Your.MD knew that a number of key medical information databases were "open to anyone who knows the URL", emails seen by a London tribunal have revealed.
Emails read out to the Central London Employment Tribunal in Holborn this morning by former vice-president Randeep Sidhu's barrister, Andrew Hochhauser QC, revealed:
- Your.MD execs were aware that five key databases were "publicly available to the internet" in June 2017;
- the firm had no way of validating, at the time, that business-critical microservices "still work[ed] to specification" following changes; and
- data from Your.MD's medical knowledge database, Alexandria, "can be downloaded worldwide, and modified, without even a password".
In addition, a Facebook chatbot devised by Your.MD allegedly allowed its Facebook page admins direct access to customers' health data.
The vulnerabilities, allegations about which were made in two emails sent by Your.MD Ltd chief product officer Sam Lowe on 12 June 2017, were "first priorities" to be fixed. Lowe also proposed organising an "independent 3rd party penetration test" to check for other vulnerabilities. Your.MD chief operating officer Alessandro Traverso replied in an immediate followup email that he agreed the situation was serious.
Top doc asked about data security
Lowe's emails were read out during cross-examination of Professor Maureen Baker, a former chairwoman of the Royal College of GPs who is Your.MD's chief medical officer (CMO) and also sits on the startup's clinical advisory board. In addition to these posts, she is a visiting professor of general practice at the University of Sheffield.
Professor Baker responded to Hochhauser's early line of questioning about data security by saying: "If I can expand. I'm really focused on the medical and professional aspects. I'm not – I didn't have any discussions about the tech or the presentations and this hasn't come up in the discussions I've had with the medical teams."
Her Scottish lilt remaining level and clear in the well-heated hearing room, she added: "I'm talking here specifically about clinical safety. Clinical safety and data security are not the same thing… that's not my remit."
Sidhu, the claimant, had previously argued during his own cross-examination that the two were very closely connected.
Surely, asked Hochhauser, the Alexandria medical knowledge database being unsecured meant that "a malicious person could make the service misdiagnose dangerous conditions?"
"No," replied Baker, "that's incorrect on two levels."
"So firstly the app does not make a diagnosis. So it cannot misdiagnose. Secondly, the data referred to, steps, etc, none of that would affect the outcome of a consultation on Your.MD," she added.
"What is being suggested," intoned Hochhauser in a deep voice, "and it was looked at in Mr Lowe's email, is that Alexandria could have incorrect information inserted into it because of the lack of security and that posed a problem… I realise you want to assist the company, but would you agree that is an unsatisfactory state of affairs?"
Stung, Baker responded: "Firstly, I have sworn an oath to tell the truth and I am answering your questions; it's not about assisting the company. Secondly, I think you're conflating things."
She continued, pausing occasionally to gather her words. "So there's one issue, which is alteration of the medical knowledge database. That's an issue. If that happened that would be – there are possibilities for things to go wrong. I accept that. However, what I don't accept is the health metrics bit leading to a problem for a user. In terms of a condition outcome."
Facebook, chatbots and people's medical histories
Back in 2017, Your.MD released a Facebook Chat-based bot where users could interact with it and ask it for advice on medical symptoms. Sidhu claimed that Your.MD implemented few privacy controls on who within the company could access customers’ information via Facebook.
In his witness statement, Sidhu asserted that "personally identifiable information was linked to highly sensitive personal information that could compromise the individual, such as abortions, sexual health and/or a pre-existing medical condition". He claimed that "any admin" of Your.MD's Facebook account "could use their personal Facebook profile to find their employer/boyfriend/parents/friends" and use the sensitive medical information "to threaten or blackmail the user".
"Given your background, Professor Baker," asked Hochhauser, "wouldn't you agree that that is a highly unsatisfactory state of affairs?"
Baker said in response that while any abuses like that would be "deplorable and highly unsatisfactory", systems involving medical records do require people to have access to it "in order to do their jobs: the same could be said of any receptionist or administrator in any healthcare system".
The tribunal is due to conclude today. Judgment is expected to be handed down in a few weeks' time. ®