A member of the Anonymous hacking collective claims to have stolen data belonging to 1.2 million patients of the United Kingdom’s National Health Service (NHS).
The breach affected swiftQueue, a software provider of dashboard and metrics solutions to healthcare clinics. Currently, the vendor manages the websites of eight NHS facilities. Patients of those health centers can use the swiftQueue-managed site to schedule appointments and check in at waiting rooms.
Naturally, swiftQueue requires patients to submit their personal information in order to complete a transaction. Its software therefore constitutes a treasure trove of data for attackers… that is, if they can find a flaw to hack their way in.
Well, it appears that’s exactly what happened.
An unknown hacker who says they are associated with Anonymous claims to have exploited unpatched software vulnerabilities in swiftQueue’s software to steal a database containing 11 million records, including the passwords and personal data (names, birth dates, phone numbers, and email addresses) of 1.2 million NHS patients.
As the individual told The Sun:
“The public has the right to know how big companies like SwiftQueue handle sensitive data. They can’t even protect patient details.”
The Metropolitan Police learned of the attack on 10 August at the referral of Action Fraud. At this time, its officers are investigating the scope and nature of the breach.
It’s a good thing, too, as there appears to be some dispute involving the hack.
Indeed, swiftQueue told the media that an unauthorized party accessed only “32,501 lines of administrative data,” which is presumably nowhere close to 11 million records. This information, according to the company, also doesn’t contain patients medical records, stores encrypted versions of users’ passwords, and even includes data belonging to “dummy” patients.
Thus far, it appears the breach has affected only one NHS facility. Such an impact, if true, is considerably smaller than the damage that WannaCry wrought against the United Kingdom’s health service in May 2017. Investigators have not revealed which center this newest incident might have affected, however.
NHS and swiftQueue are currently working together to notify affected victims.
While affected patients wait to be notified, they should exercise digital security common sense by not answering calls from unknown senders or clicking on suspicious links and email attachments. If the hacker responsible for the breach sold the database somewhere on the web, computer criminals could try to conduct secondary phishing and malware attacks against the exposed victims. So stay sharp and think before you click!
Update:swiftQueue has been in touch, with the following statement:
“swiftQueue recently became aware of a cyber-attack which affected a small subset of administrative data sets, with the breach fixed within three hours. No medical records have been illegally accessed by this criminal and swiftQueue has reported the incident to the Metropolitan Police Cyber Crime Unit who are investigating.”
“There was 32,501 lines of administrative data accessed , some of it was test data which related to ‘dummy’ patients. We are in the process of informing the patients affected and working with the police so will not be releasing any further information at this stage.”
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.