Software bug meant NHS information was potentially “vulnerable to hackers”

Flaw in virtual booking software allegedly left data exposed

  • The NHS is reportedly looking into allegations of a third-party software flaw
  • A vulnerability of this kind could leave patients exposed
  • However Medefer denies wrongdoing, says it was unaware of issue

The NHS is reportedly “looking into” allegations that a software flaw in a virtual booking provider left patient data exposed for a number of years.

Reports from ComputerWeekly say a researcher found a flaw in Medefer, which handles 1,500 NHS patient referrals per month, with its system allowing patients to book virtual appointments with doctors, as well as giveingphysicians access to the relevant patient data.

However, the APIs in Medefer's software were apparently not secured properly, meaning sensitive patient data could have fallen into the wrong hands, the researcher confirmed.

Patients vulnerable

The researcher, who wished to be anonymous, told Computer Weekly hackers could target these reported vulnerabilities by using "a suite of automated tools and techniques" in order to retrieve personal and sensitive information that could be monetised or used for further malicious activity. Since authentication wasn't required, threat actors could "script automated calls to the APIs to exfiltrate large amounts of data, for example all patient records."

The flaw could have existed for at least 6 years, the researcher said, meaning a large amount of NHS data could be at risk.

However Medefer says that it first heard about the NHS investigation in the media, and that it has had no prior contact from the NHS on this issue.

"There is no evidence of any patient data breach from our systems at any point. This has been formally confirmed by an independent specialist cybersecurity agency" Dr Bahman Nedjat-Shokouhi, CEO of Medefer told TechRadar Pro.

"The external cybersecurity agency has asserted that the allegation that this flaw could have provided access to large amounts of patients’ data is categorically false, confirmed that all of Medefer’s data systems are currently secure, and that it is not possible to access any patient data without appropriate security authentication. The issue has been reported to the Information Commissioner’s Office (ICO) by Medefer, and the commission confirmed no further action needs to be taken."

Healthcare data is incredibly valuable for threat actors, as medical information can be sold on the dark web, and personally identifiable information (like names, addresses, emails) can be used in social engineering attacks or identity theft, so anyone potentially exposed should monitor their accounts carefully.

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

