British healthcare platform Lantum leaked doctors' personal data via cloud misconfiguration

Lantum, a UK-based online freelance agency for doctors, suffered a significant data leak that exposed the sensitive personal information of thousands of doctors.

Based in Shoreditch, London, Lantum is a well-known provider of workforce management solutions to healthcare companies. The company is a member of the NHS Innovation Accelerator programme and enabled more than 4.2 million GP appointments since 2012.

The Cybernews research team recently said its experts, during routine monitoring of various cloud storage repositories, identified a misconfigured Amazon AWS S3 bucket that contained around 98,000 files belonging to Lantum.

The cloud storage contained information dated between 2014 and 2016 and included names, dates of birth, current and past employers, home addresses, phone numbers, email addresses, passport information, medical documents, certifications, criminal records, and Invoices/Payroll details of individuals registered with the company.

Soon after it discovered the cloud instance, Cybernews contacted Lantum and notified it about the significant data exposure and the possibility of malicious actors gaining access to the exposed information.

A company spokesperson acknowledged the cyber security incident and said, “We are able to take action to ensure that the data was fully secured and made inaccessible”.

Lantum said it took steps to secure the cloud storage by 8th June and confirmed that the database is no longer accessible to unauthorised individuals.

“We are, however, treating this matter as a potential data breach and will continue to liaise with any individuals who may be affected should more information be revealed by our investigations,” the spokesperson said.

The company also added that the exposed database was hosted on Lantum’s old platform, Network Locum, which is no longer in use. “We would stress that since 2016, we have been operating on a completely different and highly secure platform, which conforms to the latest UK government approved and international security standards and undergoes regular testing,” Lantum added.

Cybernews also added that Lantum has reported the security incident to the Information Commissioner’s Office and has involved third party cyber security experts to investigate the matter and understand the scope of the same.

In a statement shared with The Register, a Lantum spokesperson said, “We have been alerted to the existence of a potential vulnerability relating to historic data held on an old website ’Network Locum’ that has been out of use since 2016. We were able to take action to ensure that the data was fully secured and made inaccessible.

“The data includes detailed personal information about healthcare professionals that have used our services in the past, and we have advised those potentially affected to take precautions to protect their identity.

“We are, however, treating this matter as a potential data breach and will continue to liaise with any individuals who may be affected should more information be revealed by our investigations.

“The data in question relates to documents uploaded between 2014 and 11th September 2016. This data was stored on an old version of the Lantum platform ’Network Locum’ that is no longer live, which Lantum migrated away from as part of an upgrade in September 2016.

“We would stress that since 2016, we have been operating on a completely different and highly secure platform, which conforms to the latest UK government-approved and international security standards and undergoes regular testing,” the spokesperson added.