NHS investigates API flaw that exposed patient data

The National Health Service (NHS) is investigating claims that an application programming interface (API) vulnerability at private healthcare provider Medefer left patient data exposed. The issue, initially raised by an IT whistleblower, has prompted scrutiny from the NHS, which has stated it will take further action if necessary.

Medefer, a virtual healthcare provider that offers online consultations through the NHS e-referral system (e-RS), confirmed the API flaw but emphasized that there is no evidence of data compromise. The vulnerability, which was discovered in November 2024, allowed unauthorized access to patient information stored in Medefer’s internal records system. The company has since fixed the flaw, reportedly within 48 hours of its discovery, but CEO and NHS consultant Dr. Bahman Nedjat-Shokouhi admitted uncertainty about how long the issue had existed.

The security flaw meant that patient data, including names, addresses, NHS numbers, and limited doctors’ notes, could be accessed without authentication. The whistleblower, a software testing contractor, alleged that the vulnerability had been present for at least six years and warned that attackers could have exploited it to extract large amounts of sensitive information using automated tools.

Medefer has hired an independent security firm and external legal counsel to investigate the issue. The company also reported the matter to the UK’s Information Commissioner’s Office (ICO), stating that it remains committed to maintaining high standards of data security and patient confidentiality. A formal investigation report from the security firm is expected soon.

The whistleblower claims he repeatedly raised concerns about multiple security vulnerabilities within Medefer’s systems. However, he said his contract was terminated after escalating the issue directly to the CEO and threatening to make the concerns public. While Medefer has not provided specific reasons for his dismissal, Nedjat-Shokouhi denied that it was linked to his security warnings.

After his contract was terminated, the whistleblower approached the NHS for support but did not receive a response. Following media inquiries, an NHS spokesperson confirmed that the concerns about Medefer were under review and reiterated that healthcare providers must meet legal data security standards.