Software bug at firm left NHS data 'vulnerable to hackers'

The National Health Service (NHS) in the UK is "investigating" allegations concerning a vulnerability in the software of a private healthcare company that could have exposed patient data to hacking. The vulnerability was discovered in November of last year at Medefer, a company that handles 1,500 NHS patient referrals each month.

The software engineer who discovered the vulnerability believes the issue existed for at least six years. Medefer has stated that there is no evidence to suggest the vulnerability existed for that long, and emphasizes that no patient data was compromised. The vulnerability was patched within days of its discovery. In late February, the company commissioned an external security agency to review its data management systems.

An NHS spokesperson stated, "We are investigating concerns raised regarding Medefer and will take further action if appropriate." Medefer's system allows patients to book virtual appointments with doctors and enables clinicians to access corresponding patient data. However, the engineer stated that the software vulnerability discovered in November made Medefer's internal patient record system vulnerable to hacking.

The software engineer, who wished to remain anonymous, was shocked by his discovery. "When I found it, I was just like 'no, this can't be'." The issue lay in pieces of software called APIs (Application Programming Interfaces), which allow different computer systems to communicate with each other. The engineer said that at Medefer, these APIs were not properly secured and could have been accessed by external parties, who would have been able to see patient information.

He said that patient information was unlikely to have been stolen from Medefer, but without a full investigation, the company cannot be certain. "I've worked in organizations where if something like this happened, the whole system would be shut down immediately," he said. After discovering the vulnerability, the engineer told the company that it should get an external cybersecurity expert to investigate the issue, but he claims the company did not do so.

Medefer has stated that the external security agency has confirmed that it has found no evidence of any data breach and that all of the company's data systems are currently secure. It said that the process of investigating and fixing the API vulnerability was "very open." Medefer stated that, out of "transparency," it had reported the matter to the ICO (Information Commissioner's Office) and the CQC (Care Quality Commission), and that the ICO had confirmed that no further action was required because there was no evidence of a breach.

Dr. Bahman Nedjat-Shokouhi, founder and CEO of Medefer, said in a statement, "There is no evidence of any patient data breach from our systems." He confirmed that the vulnerability was discovered in November and that a fix was developed within 48 hours. "The external security agency asserts that the claims about this vulnerability potentially providing access to large amounts of patient data are absolutely false." The security agency is due to complete its review later this week.

Professor Alan Woodward, a cybersecurity expert at the University of Surrey, stated, "Data held by Medefer from the NHS may not be as secure as one would hope." He added, "The database might be encrypted and all other precautions taken, but if there's a way to crack the API authorization, then anyone who knew how to do it could potentially gain access." Another expert noted that because Medefer handles highly sensitive medical data, the company should have hired a cybersecurity expert immediately after the issue was discovered.

Security researcher Scott Helme stated, "Even if the company suspects no data was stolen, when faced with an issue that could have led to a data breach, particularly for the nature of the data in question, it is advisable for an investigation and confirmation to be carried out by a suitably qualified cybersecurity expert." Medefer was founded in 2013 by Dr. Nedjat-Shokouhi to improve outpatient care. Since then, its technology has been used by NHS trusts across the country.

An NHS spokesperson said in a statement that the trusts are responsible for contracts with the private sector. "Individual NHS organizations must ensure they fulfil their legal responsibilities and national data security standards to protect patient data when commissioning suppliers, and we provide support and training nationally on how they can do this."