The nhs is “looking into” claims made by an it whistleblower that Pata was left Vulnerable by Security Failures Within a Private Healthcare Provider.
The personal details of nhs patients referred to virtual healthcare provider medefer were exposed due to an Application Programming Interface (API) Security flaw.
There is no evidence that data was compromised and the vulnerability has been fixed, but medefer admitted
Medefer offers Patients Online Appointments Through the NHS's e-Referral System (E-RS)When a patient is referred to medie, the firm receives patient from data from e-RS or the NHS Spine To make it available to Medics, Who Provide Online Consultations.
The Healthcare Provider said it has appointed an independent security firm to investigate the flav and an external counsel to advise on the situation, but did not say when.
The security hole in the medfer api, which was discovered in November 2024, mean data on medefer's internal patient system system, which contains data from the nHS, CONTAINS DATA SYST SYSTEM Requiring authentication, via the api.
Medefer Ceo and NHS Consultant Doctor Bahman nedjat-shokouhi Said the problem was fixed within 48 hours of being discovered, but he admitted to not knowing how long the vulnerability existed.
He said the exposed data was not full medical records but admitted it included names, addresses, nhs numbers and some doctors' notes.
The Whistleblower, A Software Testing Contract, Said He Reported The Security Hole in the Private Company's Systems to its management, whille work for the company. He said he believes the problem existed for at least six years.
“Hackers Target Vulnerabilitys Such as this Using a Suite of Automated Tools and Techniques to Retrieve Private and Sensitive Information That Cold Be MonetSed or Used for Furthar Malicious. Since no authentication was required, Attackers could script automated calls to the apis to exfiltrate large Amounts of data of data, for example all patient records, “He added.
The nhs and mediefer know the identity of the whistleblower, but he has been asked to withhld his name from this story. Computer weekly has seen evidence of conversations Between Medefer Employees Expressing The Seriousness of the Security Problems.
Contract terminated
The whistleblower said: “I found a number of other vulnerabilites and highlighted many issues with how the systems were built, maintated and deployed, deployed, who reeisedly raised over the next two Months. Upon, Again, Raising This with the CEO and Threatening to Go Public My Contract was terminated abruptly. “
Nedjat-shokouhi said this was not the reason the healthblower was let go, but would not comment further
A statement from medefer said: “We are taking the matter serially so that we can provide reassuance to patients and other interested parties. In the interests of transparency, we have notified the information commissioner's office (ICO) of the allegations and lines of communication remain open. We have also commissioned an independent investigation ento the matter to be conducted by a city firm of solicitors with the assistance of external data experts and leading and junior counsel. “
The company added: “To date, we have found no evidence that any patient has been compromised. We will continue to ensure the highest standards of data security and patient conference are uphed and we will keep the ico updated, as appropriate. If any weaknesses are found to exist, they will of course be addressed. “
After his contrast was terminated, the whistleblower contacted the nhs last month for support and requested it contact Computer weekly.
After Computer Weekly Contacted The NHS, A Spokesperson Said: “We are looking into the concerns raised about medefer and will take further action IFPPRETE. they meet their legal responsibilities and national data Security Standards to Protect Pata when appointing suppliers, and we offer them support and training nationally on how this should be done. “
The nhs was not aware of the mediafer Security Concerns when Computer Weekly Contacted it on 27 February.
Medefer has hired a security firm to produce a report on the api flw and fix, which is due to report immunity.
The ICO confirmed medefer made it aware of the investigation into the security problem and said there has been no reported breach. Computer weekly asked the ICO when it was informed by medefer of the vulnerability, but said “Would not provide that detail.”
Integrity and ethics in it
The whistleblower, who said it seems medefer is now doing the right thing, said the post office influenced his decision to spends out when out when he felt not enjoy was beyed “It's a matter of responsibility, integrity and ethics,” He said.
Neil Gordon, A Professor at the University of Hull And Chair of the British Computer Society's Ethics Specialist Group, Said the Post Office Scandal Has Highlighted The Important Role that it Staff has in Alerting Empolyrs and Authoritia Problems.
“The post office Horizon scandal has starkly demonstrated the critical need for it professionals to spendak up when they identify problems. The Destructive Consequences of Silence are Evident in the injustice sufred by so many subpostmasters, “He Told Computer Weekly.
“As Our Reliance on It Systems Grows – Particularly in Safety -Critical Areas Like Healthcare and Autonomous Vehicles – Specialists Must Not only FEEL Empowered to RAISE COT ALSO BET ALESO Heard when they do. “
Gordon Said Organizations Should Foster a Culture that Welcomes Internal Scrutiny, Rather Than Suppressing It.