Data on 1.2 million NHS patients stolen, claims hacker

Contractor at the centre of the claims says it didn't hold that much data

A hacker claiming to represent the Anonymous hacking group claims that it stole personal details of as many as 1.2 million NHS patients after cracking a book-and-choose website.

The attacker claims that they were able to access a database with records on more than one million people.

The company, SwiftQueue, operates an appointment booking service for eight NHS Trusts. It also operates patient-operated check-in terminals in waiting rooms. After it discovered the breach, the company contacted the Metropolitan Police's Cyber Crime unit.

The attacker also contacted The Sun newspaper with the claims, saying that people have "a right to know how big companies like SwiftQueue handle sensitive data".

According to the hacker, the attack exploited unpatched weaknesses in SwiftQueue's software. This enabled them to download the company's entire database, containing more than 11 million records, including passwords.

SwiftQueue disputes the assertion. It acknowledges that a hack took place, but that its database is not as big as claimed. It says that around 32,500 lines of 'administrative data' were accessed, of which some was test data relating to 'dummy' patients.

However, what was accessed does include personal details such as names and dates of birth, but does not include medical records; passwords are encrypted.

No more details, such as which trusts were affected, were shared.

Sam Smith, a coordinator at MedConfidential, a group dedicated to protecting patients' medical records and personal information, told The Sun, "Patients will be alarmed that a company trusted by the NHS to hold their private data has been compromised in this way.

"Firms should take every step possible to keep private data secure, which does not appear to have happened in this case... The NHS should be doing more to ensure their suppliers meet the highest possible standards of data security."

SwiftQueue is now informing patients who have been affected.

The NHS was recently granted £21 million to improve its cybersecurity, in the wake of the WannaCry ransomware attack.