An NHS contractor has contacted the police, after a website that it manages was breached by a hacker claiming to represent the Anonymous hacking group. The attacker was able to beat security and access a database with records on more than 1 million people.
SwiftQueue operates an appointment booking service for eight NHS Trusts; it also operates patient-operated check-in terminals in waiting rooms. After it discovered the breach, the company got in touch with the Metropolitan Police's Cyber Crime unit.
The alleged attacker contacted The Sun newspaper, saying that people have "a right to know how big companies like SwiftQueue handle sensitive data."
According to the hacker, the attack exploited unpatched weaknesses in SwiftQueue's software. This enabled them to download the company's entire database, containing more than 11 million records, including passwords.
SwiftQueue disputes the assertion. It acknowledges that a hack took place, but that its database is not as big as claimed. It says that around 32,500 lines of 'administrative data' were accessed, of which some was test data relating to 'dummy' patients. However, what was accessed does include personal details such as names and dates of birth, but does not include medical records; passwords are encrypted.
No more details, such as which Trust(s) was affected, were shared.
Sam Smith, a coordinator at MedConfidential (a group dedicated to protecting patients' medical records and personal information), told The Sun, "Patients will be alarmed that a company trusted by the NHS to hold their private data has been compromised in this way.
"Firms should take every step possible to keep private data secure, which does not appear to have happened in this case... The NHS should be doing more to ensure their suppliers meet the highest possible standards of data security."
SwiftQueue is now informing patients who have been affected.
The NHS was recently granted £21 million to improve its cybersecurity, in the wake of the WannaCry ransomware attack.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal