Secure Your Data

Five lessons Digital Health SMEs can learn from Babylon Health’s Data Breach
Jemima Heard
October 8, 2020

Digital Health SME Babylon Health has had the ideal journey for any innovative tech company.

Launched in November 2017, it was the first app on the NHS App Library. The virtual GP-Consultation app currently serves the general practice needs of 2.3 million Brits.

Data breaches in the Digital Health sector

On 9 June 2020, Babylon Health admitted to its first data breach after a user reported being able to access dozens of online appointment recordings.

Data breaches are a major concern for all companies, but when that data is 'sensitive', it has legal consequences. As a digital health founder, you're liable for any sensitive data breaches.

Data breaches also have an economic impact - and the UK has felt the brunt of this. Data breaches in the UK's healthcare sector costs £5.2 million on average - almost double the global average cost. A single data breach can cost healthcare businesses up to €20 million or 4% of global takings.

Here's what you can do as a Digital Health Entrepreneur to protect your business, and your users.

1. Make data security a primary concern.

Data breaches aren't unheard of in the MedTech sphere. In 2017 and 2018, the NHS experienced two huge data breaches - one from an attack on their largely-outdated systems and another from a coding error.

71% of people worry about how companies will use their personal data.

But the large publicity of these data breaches means that the public are growing weary of relying on tech and the safety of their information. 71% of people surveyed worry about how companies will use their personal data. Public willingness to share data is now declining - and these concerns are starting to affect sales.

This means you need to invest heavily in your product development and data security.

With digital health products, you'll need to ensure you:

 Use only secure code

Blockchain technology is a popular tool in the digital health sector, and for good reason. Blockchain enables resilient transfers of information - but it's not impregnable. It's wise to layer protections in your app, wearable or product - don't rely on one.

Test, test, and test again

Don't only rely on your team to test. Beta testing is a great opportunity to create a buzz around your product whilst also testing security and functionality. 

Ensure high-level authorisation

Utilise passwords and fingerprints to ensure data about your user isn't easily accessed by anyone else.

If you're creating an app, find out more about digital health security through OWASP (Open Web Application Security Project), a volunteer-led organisation on a mission to create global standards for the security of applications.

2. Keep up to date with industry data standards

NICE Evidence Standards Framework for Digital Health Technologies covers the clinical effectiveness evidence you need to show your product works. Without this, you'll face a greater struggle to get your app, device or wearable adopted into the NHS.

But what about data standards evidencing? If you're want your product in the NHS App Library, you'll face between 6 - 140 questions about the data protection standards of your product.

Familiarise yourself with NHS Digital Data and Technology Service Standards to ensure you're abiding by the minimums set for NHS uptake and approval.

Image shows the front page of the NICE Evidence Standards Framework for Digital Health Technologies, and the home page of the draft NHS digital, data and technologies standards framework
As a digital health entrepreneur, both NICE Evidence Standards Framework and the upcoming NHS Digital, Data & Technology Standards Framework are integral to getting your product adopted into the Health and Social Care System or NHS Apps Library.


If you're publishing your digital health product or service without NHS aspirations, you'll still need to be able to ensure your target audience that their data is safe.

This is where you need to ensure you abide by the law.

3. Abide by data privacy legislation and GDPR

The first data privacy laws were published in1968 following an examination of the EU's then-current Human Rights legislation. That's right - data privacy is legally considered to be a fundamental human right.

Any app that collects personal information must abide by the 2018 UK Data Protection Act - this is where we meet Privacy Policies.

Privacy policies are not 'one size fits all'. Apple and Google have slightly different privacy policy needs for apps on their stores. Different countries have different privacy regulations, so you may need to adapt your policy if you want to reach international markets. Read more about your privacy policy needs from this Termsfeed blog.

As a business operating in the UK, you'll also have to comply with 2018's GDPR Legislation.

Up to 85% of UK Digital Health SMEs are not GDPR compliant. Image shows the GDPR website logo.

According to Healthware, 85% of UK Digital Health startups are not compliant to GDPR - posing a huge risk to businesses and users alike. Why is this number so high?

GDPR prohibits the processing of health data unless you comply with one of six methods of processing it.

To ensure GDPR compliance, you may also need to:

Gain explicit consent

This means that the user needs to actively confirm they're happy for you to collect their data by clicking a box or button.

Complete a Data Protection Impact Assessment (DPIA)

A document that verifies completion of a risk assessment, GDPR compliance and demonstrates that your business is not a high risk to its 'users.

Assign a Data Protection Officer

This could be mandatory depending on the type and scale of data you collect.

The best way to ensure your product or service conforms to all necessary data legislation is to talk to a lawyer. Violations of GDPR can cost a company up to 4% of its' global takings, so it's in your best interest to protect your users.

4. Have a crisis management plan

Being pro-active about potential crises puts you in a stronger position to deal with them. 

A crisis management plan can also help you navigate issues such as product failures, sudden economic changes, reputation attacks and even external events such as terrorist attacks or natural disasters.

Some easy steps to take for this are:

  • Identify where breaches may occur
  • Reduce risk where possible
  • Draft crisis response plan, considering any necessary 'backups'
  • Clarify who will be responsible for solutions and crisis communications

Crises can present a unique opportunity to show expertise, leadership and strength - so don't let one overwhelm you.  

5. Value post-crisis communications

Human instinct in any scary situation is to defend and deflect but avoiding the truth will damage your company reputation - particularly in the case of a data breach.

Once you've solved your data breach, your first step should be to let anyone potentially affected by it know. Be as honest as you can - it'll help rebuild trust after the fact.

Next, communicate key lessons learned to the public and your stakeholders. This is your opportunity to show your company’s dedication to data protection and the rights of your users.

Finally, use this as an opportunity to grow. Make the necessary changes and you now have a stronger product – but remember to keep testing it for any flaws.

Need help navigating data protection for your digital health innovation? SimDH helps entrepreneurs to access industry experts for group workshops, one-to-one consultations and advice. Find out more about the programme here.