The medical records of 1.2 million brits are thought to have been stolen by a hacker with alleged links to the global hacking group Anonymous, The Sun have reported.
The hacker claims to have gained access to an NHS database, operated by the online healthcare platform SwiftQueue. The company runs appointment booking services for eight NHS Trusts giving patients access to online booking at GPs, hospitals and clinics. The company however does not hold medical records on its servers.
After discovering that SwiftQueue’s website had been compromised, an NHS contractor contacted the Metropolitan Police’s Cyber Crime unit.
A spokesperson claiming to represent Anonymous told The Sun: “I think the public has the right to know how big companies like SwiftQueue handle sensitive data. They can’t even protect patient details.”
The medical records were able to be stolen due to a weakness in SwiftQueue’s software, which should have already been patched. The attacker claims to have downloaded SwiftQueue’s entire database, including 11 million records containing patient passwords.
SwiftQueue state that the attack isn’t as widespread as the hacker claims and that the attack only affected a “small subset of administrative data sets.” The company went on to state that the breach was fixed within three hours and that some of the data related to ‘dummy’ patients.
A company spokesperson said: “swiftQueue recently became aware of a cyber-attack which affected a small subset of administrative data sets, with the breach fixed within three hours. No medical records have been illegally accessed by this criminal and swiftQueue has reported the incident to the Metropolitan Police Cyber Crime Unit who are investigating. There was 32,501 lines of administrative data accessed , some of it was test data which related to ‘dummy’ patients. We are in the process of informing the patients affected and working with the police so will not be releasing any further information at this stage.”
NHS Digital commented on the attack, saying: “SwiftQueue does not hold medical information, but has told us that one of their databases may have been unlawfully accessed, affecting 32,500 lines of administrative data. This is limited to names, dates of birth, phone numbers and, in some cases, email addresses. We will continue to support SwiftQueue and the NHS as investigations continue.”
SwiftQueue refuse to say which NHS Trust the attack related to and how many patients have been affected.
The attack follows a year in which cyberattacks have become a hot topic for the NHS. Multiple NHS Trusts have been hit by cyberattacks this year and the NHS was hit badly by the WannaCry attack which affected organisations across various sectors.