An unnamed hacker has managed to steal sensitive information of 1.2 million patients from an NHS contractor's systems, The Sun has revealed.
The hacker infiltrated the NHS contractor's appointment booking system and is claiming to be a member of hacker group Anonymous.
SwiftQueue, the affected NHS contractor, manages appointments for patients seeking treatment or consultation at as many as eight NHS trusts. Recently, a hacker invaded the contractor's systems and accessed sensitive details of 1.2 million patients including their names, phone numbers, email addresses, and passwords.
The hacker has claimed that he is a member of popular hacker group Anonymous and conducted the hack to show the public how companies like SwiftQueue handle sensitive data.
“I think the public has the right to know how big companies like SwiftQueue handle sensitive data. They can’t even protect patient details,” the hacker told The Sun. The hacker added that he was also able to download the contractor's entire database that contained 11 million patient records.
It is not clear whether the hacker was able to exploit vulnerabilities in older versions of Windows being used by SwiftQueue or if he succeeded in cracking passwords used by the firm.
SwiftQueue has admitted to the breach but has contested the hacker's claim on how much data was compromised. According to the contractor, only 32,501 “lines of administrative data” have been accessed that include patients' names, dates of birth, phone numbers and email addresses.
However, it added that hackers could not get hold of passwords of patients since they are encrypted. The contractor also doesn't store any medical information on patients so there is no question of them being compromised. The firm has called in investigators from the Met’s specialist Cyber Crime Unit to investigate the breach.
"Attacks like this remind us that hackers don’t always have to break software, sometimes they merely demonstrate that it is already broken. They will exploit any and all vulnerabilities to gain access to sensitive data, including weak links in the supply chain," says Thomas Fischer, global security advocate at Digital Guardian.
"While many businesses are placing more emphasis on their own data protection these days, it’s easy to forget third parties pose just as much of a risk to security. Simply assuming that suppliers and partners have adequate protection in place isn’t good enough," he adds.
Fischer adds that if a contractor is compliant with security standards at one point of time, it doesn't mean it'll be forever compliant as any changes in the company’s infrastructure or advancements in attack techniques need to be considered as well.
Earlier this month, personal details of as many as 500 specialist trainee doctors at St Helens and Knowsley Teaching Hospitals NHS Trust were exposed after an internal spreadsheet containing their sensitive and private details was published online. Details in the spreadsheet included National Insurance numbers, email addresses, and home addresses of the 500 doctors.
The incident at St Helens and Knowsley Teaching Hospitals NHS Trust made it clear that merely updating outdated software in NHS hospitals will not prevent data breach as human factor continues to remain the largest vector for such leaks.