A hacker that is allegedly linked to the international hacktivist group Anonymous has revealed that he has managed to steal data from an appointment booking system used by the UK's National Health Service (NHS). He is said to have breached the security of a private contractor working for the NHS and gain access to up to 1.2 million confidential patient records.
The private contractor in question is SwiftQueue, a company that works with a total of eight NHS trusts and manages a website that patients use to book appointments with a hospital, clinic, or a GP. The company is also responsible for the operation and maintenance of terminals in the waiting rooms, which are used by patients for checking in.
The firm has contacted the Cyber Crime Unit of London's Metropolitan Police for assistance. Meanwhile, someone who has claimed to be representing Anonymous has contacted The Sun, stating: "I think the public has the right to know how big companies like SwiftQueue handle sensitive data. They can't even protect patient details."
The source claims that they were able to download SwiftQueue's entire database, consisting of around 11 million records and passwords. What's even more worrying is that they allegedly exploited a weakness in the company's software that should have already been patched several years ago.
SwiftQueue has responded by saying that their database isn't that big and that the initial investigation that they have carried out suggests that only 32,501 "lines of administrative data" have been exposed. The patient's personal details included dates of birth, names, email addresses and phone numbers. SwiftQueue insisted that they don't hold medical records and that the passwords are encrypted. They still refused to comment on how many patients were affected by the breach.
MedConfidential's Sam Smith has commented, saying: "Patients will be alarmed that a company trusted by the NHS to hold their private data has been compromised in this way." He also called for companies to "take every step possible to keep private data secure, which does not appear to have happened in this case."
By now, it has become painfully obvious that the NHS should take better steps to ensure the safety of patient data. This breach comes after May's WannaCry attack that infected 47 NHS trusts with malware. There have been several similar incidents involving the NHS that happened earlier in the year as well.