- NHS is reportedly looking at accusations of a third -party software error
- A vulnerability of this kind could leave patients exposed
- However, Medfer’s wrongdoing denies that it was not aware of the problem
The NHS is reportedly “to look at” claims that a software error in a virtual booking provider left patient data postponed for a number of years.
Reports from Computer weekly Say that a researcher found an error in MedeFer handling 1,500 NHS patient references per Month, with its system that allows patients to book virtual appointments with doctors as well as give physicists access to the relevant patient data.
However, the APIs in Medefer’s software were apparently not secured correctly, which means that sensitive patient data could have fallen into the wrong hands, the researcher confirmed.
Patients vulnerable
The researcher who wanted to be anonymous, told Computer weekly Hackers could target these reported vulnerabilities by using “a package of automated tools and techniques” to retrieve personal and sensitive information that may be monetized or used for additional malicious activity. Since approval was not required, threat actors could “script automated calls to the APIs to smooth out large amounts of data, for example, all patient records.”
The error could have been around for at least 6 years, the researcher said, which means a large amount of NHS data could be in danger.
However, Medferer says it first heard about the NHS study in the media and that it has not had any prior contact from the NHS on this question.
“There is no evidence of any violation of patient data from our systems at any time. This has been formally confirmed by an independent specialist cyber security agency” Dr. Bahman Nedjat-Shokouhi, CEO of Medefer told told Techradar Pro.
“The external cyber security agency has claimed that the claim that this error could have given access to large amounts of patients’ data is categorically false, confirmed that all medical data systems are currently safe and that it is not possible to access patient data without the need for appropriate security approval. The Commission is confirmed that no further actions are taken. ”
Healthcare data is incredibly valuable to threat actors, as medical information can be sold on the dark web, and personally identifiable information (such as names, addresses, e emails) can be used in social engineering attacks or identity theft, so anyone who is potentially postponed must monitor their accounts carefully.
