NHS patient data left vulnerable by software flaw

NHS looking into claims of bug in private supplier’s APIs

The NHS is investigating claims that a software flaw at a private NHS supplier left patient data vulnerable for as long as six years.

Medefer is an outpatient service that handles around 1,500 NHS referrals a month. It allows patients to book virtual appointments with NHS clinicians.

According to a former employee speaking to the BBC, a software flaw – discovered in November, and since fixed – left the company’s internal patient record system vulnerable to attackers.

The problem was specifically in Medefer’s APIs, which the former engineer (who did not want to be named, and worked for the company between October and January) says were not properly secured.

An attacker could have exploited that vulnerability to access patient information. Although there is no evidence this happened, the problem is believed to have been present for “at least” six years.

The source told the BBC, "I've worked in organisations where, if something like this happened, the whole system would be taken down immediately."

He allegedly recommended that Medefer bring an external expert in to address the flaw, but the company declined to do so.

For its part, Medefer says an external party found no evidence of a data breach.

"The external security agency has asserted that the allegation that this flaw could have provided access to large amounts of patients' data is categorically false,” said Medefer founder and CEO Dr Bahman Nedjat-Shokouhi.

The company has reported the issue to the Care Quality Commission and the ICO. The data regulator accepted the lack of breach evidence and recommended no further action to be taken.

However, an NHS spokesperson confirmed that it is looking into the claims, and other security stakeholders have shared their own concerns.

John Smith, EMEA CTO of Veracode, said the flaw “highlights a growing and concerning trend across all industries – security debt from unresolved vulnerabilities left unfixed for years, particularly in third-party code and the software supply chain.”

Meanwhile Professoor Alan Woodward of the University of Surrey said Medefer may not have stored its NHS data "as securely as one would hope it would be."

He added, "The database might be encrypted and all the other precautions taken, but if there is a way of glitching the API authorisation, anyone who knows how could potentially gain access.”