Medical advice app Your.MD could have been tampered with by anyone, alleges ex-veep
Did he really blow the whistle on security fears? tribunal asked
A former vice president of medical app Your.MD has claimed "false information could be fed into the diagnostic system" as a result of security failings in the software's backend.
Randeep Sidhu is claiming he was unfairly dismissed from his £110,000 post as Your.MD's deputy veep of product after making legally protected disclosures about the state of the software back in 2017.
The app itself lets users input symptoms of illness and then suggests potential diagnoses and presents medical information. Judging by its "About" page, it appears to draw some of its responses from the NHS Choices medical info website.
Sidhu told the Central London Employment Tribunal that Your.MD execs Matteo Berlucchi (chief exec) and Alessandro Traverso (chief operating officer) ignored warnings about the app's medical safety in what he described as a rush to launch its version 3 in late 2017.
"I was being neutered from discussing [the problems] publicly. I was told not to raise anything in front of anyone," Sidhu told the tribunal yesterday.
Your.MD's barrister, Gavin Mansfield QC, challenged Sidhu's assertion by suggesting that doctors advising the app firm were the ones raising concerns, saying: "That was an issue that doctors were raising, not you."
"No," replied Sidhu. "The doctors were raising it. I was also raising it."
Is it truly vulnerable if it's not on Google?
During further cross-examination this morning, Sidhu claimed that Your.MD's execs ignored specific information about security concerns he raised with them, saying these were "underlying issues" from previous versions of the app that "hadn't been dealt with yet". He said that he had raised the infosec concerns as part and parcel of his worries over the medical safety of advice given out by the app.
"Data security is an important part of medical safety. Revealing a patient's data is absolutely an issue of medical safety. A patient being misdiagnosed with something because of a data security issue: that's a medical problem," he told the tribunal's three-strong panel.
Mansfield responded by saying: "A patient wouldn't have been misdiagnosed because of a data security issue," to which Sidhu riposted: "False information could be fed into the diagnostic system which could result in someone having the wrong diagnosis."
Although Sidhu said the internal Your.MD database powering the app, Alexandria, "is exposed to the internet", Mansfield commented that "it doesn't come up in a search".
"That doesn't necessarily make it safe," replied Sidhu.
"Someone would have to know the URL to find that database," said Mansfield, to which Sidhu replied: "Correct."
"And it doesn't come up on a Google search," continued Mansfield.
Sidhu, who was seated in the centre of the room between each side's barristers, facing the judges, replied: "Just because something isn’t available on Google doesn't mean it isn't discoverable. Bank server URLs aren't publicly available on Google but its not impossible for hackers to find those URLs. The app would help identify that."
Did you raise it at the time, or are you merely telling us that's what you did?
Returning to the purpose of the cross-examination – to find out whether Sidhu had truly raised these concerns at an internal meeting on 17 October 2017, as he claims – Mansfield pointed out that Sidhu's "pleaded case is that [version 3 of the app] was released before it was safe to do so. It is not that you raised any security issues at that meeting."
The former veep said he'd "highlighted that there [were] security concerns and medical concerns that hadn't been addressed. Did I individually detail each part of the system that's broken? No."
Employment Judge Goodman, chairwoman of the panel, intervened: "What we want to know is what you said... you may not remember the exact words but [what we want is] the level of detail."
Picking his words carefully, Sidhu replied to the judge by saying: "I did not go into the level of detail in the apps where it says Alexandria is, blah blah, technical detail is not what I went into. Because it was not a forum where it was appropriate to raise that level of technical detail."
A triumphant Mansfield then pinned Sidhu to his witness statement. "If you mentioned those concerns you would have put them in your witness statement at paragraph 132. That's right, isn't it?"
Paragraph 132 of Sidhu's witness statement, as seen by The Register, described how, during a management meeting, he was asked to give a presentation to staff emphasising company values such as "honesty" and "clinical safety and service". The final two sentences said: "During the meeting, I questioned how the company values corresponded with Your.MD's recent decision to release the V3 App when it was not ready as explained at paragraph 90 above and not fully safe for potential users. This concern was also shared by the medical team."
Paragraph 90 described how doctors advising Your.MD "had made a plan about what countries it was safe to release the App" [sic] and also said that Sidhu "questioned how the company values corresponded with Your.MD's decision to release the V3 app in particular countries where it had not been approved for release".
Sidhu replied to Mansfield: "Like I said, clinical safety, in my mind, [was] congruent to what I said. We're looking at these as 3 or 4 separate things. If we're talking about them, particularly security concerns, they'd be described together... there was existing security concerns that weren't being addressed."
A dogged Mansfield, crossing his arms and leaning back in his seat, concluded: "You didn't say that, you'd didn't raise existing security concerns. You raised concerns about the decision to release the V3 app... none of this was said on the 17th October, the safety, the medical concerns. None of it is true."
In addition to unfair dismissal, Sidhu also claimed he was subject to whistleblowing detriment, direct discrimination and harassment because of race and sexual orientation, among other things. In his grounds of claim he described himself as "a British Indian homosexual man".
The tribunal panel was made up of Employment Judge Mrs S Goodman, assisted by lay members Mr D Eggmore and Mrs J Cameron. Barrister Andrew Hochhauser QC represented Sidhu. The case continues. ®