A company called Medefer, which works with the UK’s NHS, has been potentially exposing NHS patient data publicly for up to six years due to a misconfigured API that was discovered in November last year. According to BBC News, the company handles 1,500 NHS patient referrals each month.
The NHS is currently looking into the matter, according to the report. An NHS spokesperson was quoted as saying: "We are looking into the concerns raised about Medefer and will take further action if appropriate."
The software engineer who found the bug, who has not been named, said they were shocked when they came across the configuration of the API. The engineer believes that no data was taken from Medefer via this API, but warned that without a full investigation, Medefer can’t be sure this is the case.
Within a few days of the vulnerability being discovered, the company fixed the issue. The engineer, however, recommended that an external security agency be commissioned to investigate the issue further. Medefer did not take this action at the time, but waited until February.
While the audit won’t be finished until later this week, it has been found that no data was breached and the systems are currently secure. In this case, it looks like all patients with data in Medefer’s databases got off lucky, but it does beg the question, what other vulnerabilities are lurking in the NHS’ and its partners’ code.
Medefer said it contacted the ICO (Information Commissioner’s Office) and the CQC (Care Quality Commission) and was told that no further action needed to be taken as there was no evidence of a breach.
Dr Bahman Nedjat-Shokouhi, founder and CEO of Medefer, said: "There is no evidence of any patient data breach from our systems. The external security agency has asserted that the allegation that this flaw could have provided access to large amounts of patients' data is categorically false. We take our duties to patients and the NHS very seriously. We hold regular external security audits of our systems by independent external security agencies, undertaken on multiple occasions every year."
The NHS said that trusts based around the country are responsible for their own contracts with the private sector. They are responsible for meeting their legal responsibilities and have to ensure data protection standards are met when appointing suppliers.
0 Comments - Add comment