Software bug at firm left NHS data 'vulnerable to hackers'

The NHS is "looking into" allegations that patient data was left vulnerable to hacking due to a software flaw at a private medical services company.

The flaw was found last November at Medefer, which handles 1,500 NHS patient referrals a month.

The software engineer who discovered the flaw believes the problem had existed for at least six years.

Medefer says there is no evidence the flaw had been in place that long and stressed that patient data has not been compromised.

The flaw was fixed a few days after being discovered.

In late February the company commissioned an external security agency to undertake a review of its data management systems.

An NHS spokesperson said: "We are looking into the concerns raised about Medefer and will take further action if appropriate."

Medefer's system allows patients to book virtual appointments with doctors, and gives those clinicians access to the appropriate patient data.

However, the software bug, discovered in November, made Medefer's internal patient record system vulnerable to hackers, the engineer said.

The software engineer, who does not want to be named, was shocked by what he uncovered.

"When I found it, I just thought 'no, it can't be'."

The problem was in bits of software called APIs (application programming interfaces), which allow different computer systems to talk to each other.

The engineer says that at Medefer those APIs were not properly secured, and could potentially have been accessed by outsiders, who would have been able to see patient information.

He said it was unlikely that patient information was taken from Medefer, but that without a full investigation, the company could not have known for sure.

"I've worked in organisations where, if something like this happened, the whole system would be taken down immediately," he said.

On discovering the flaw the engineer told the company that an external cybersecurity expert should be brought in to investigate the problem, which he says the company did not do.

Medefer says the external security agency has confirmed that it has found no evidence of any breach of data and that all the company's data systems were currently secure.

It says the process of investigating and fixing the API flaw was "extremely open".

Medefer said it had reported the issue to the ICO (Information Commissioner's Office) and the CQC (Care Quality Commission), "in the interests of transparency", and that the ICO had confirmed there is no further action to be taken as there is no evidence of a breach.

The engineer, who had been contracted in October to test for flaws in the company's software, left the company in January.

In a statement Dr Bahman Nedjat-Shokouhi, founder and CEO of Medefer, said: "There is no evidence of any patient data breach from our systems."

He confirmed that the flaw had been discovered in November and a fix was developed in 48 hours.

"The external security agency has asserted that the allegation that this flaw could have provided access to large amounts of patients' data is categorically false."

The security agency will complete its review later this week.

Dr Nedjat-Shokouhi added: "We take our duties to patients and the NHS very seriously. We hold regular external security audits of our systems by independent external security agencies, undertaken on multiple occasions every year."

Cybersecurity experts, who have looked at information supplied by the software engineer, have expressed their concern.

"There is the possibility that Medefer stored data derived from the NHS not as securely as one would hope it would be," said Prof Alan Woodward, a cybersecurity expert at the University of Surrey.

"The database might be encrypted and all the other precautions taken, but if there is a way of glitching the API authorisation, anyone who knows how could potentially gain access," he added.

Another expert pointed out that as Medefer deals with highly-sensitive, medical data, the company should have brought in cybersecurity experts as soon as the problem was identified.

"Even if the company suspected that no data was stolen, when facing an issue that could have resulted in a data breach, especially with data of the nature in question, an investigation and confirmation from a suitably qualified cybersecurity expert would be advisable," says Scott Helme, a security researcher.

Medefer was founded in 2013 by Dr Nedjat-Shokouhi, with a goal to improve outpatient care. Since then its technology has been used by NHS trusts across the country.

In a statement the NHS spokesperson said those trusts are responsible for their contracts with the private sector.

"Individual NHS organisations must ensure they meet their legal responsibilities and national data security standards to protect patient data when appointing suppliers, and we offer them support and training nationally on how this should be done."