The NHS is “looking into” claims made by an IT whistleblower that patient data was left vulnerable by security failures within a private healthcare provider.
The personal details of NHS patients referred to virtual healthcare provider Medefer were exposed due to an application programming interface (API) security flaw.
There is no evidence that data was compromised and the vulnerability has been fixed, but Medefer admitted the API security flaw left data vulnerable to a targeted attack.
Medefer offers patients online appointments through the NHS’s e-referral system (e-RS). When a patient is referred to Medefer, the firm receives patient data from e-RS or the NHS Spine to make it available to medics, who provide online consultations.
The healthcare provider said it has appointed an independent security firm to investigate the flaw and an external counsel to advise on the situation, but did not say when.
The security hole in the Medefer API, which was discovered in November 2024, meant data on Medefer’s internal patient record system, which contains data from the NHS, could have been accessed without requiring authentication, via the API.
Medefer CEO and NHS consultant doctor Bahman Nedjat-Shokouhi said the problem was fixed within 48 hours of being discovered, but he admitted to not knowing how long the vulnerability existed.
He said the exposed data was not full medical records but admitted it included names, addresses, NHS numbers and some doctors’ notes.
The whistleblower, a software testing contractor, said he reported the security hole in the private company’s systems to its management, while working for the company. He said he believes the problem existed for at least six years.
“Hackers target vulnerabilities such as this using a suite of automated tools and techniques to retrieve private and sensitive information that could be monetised or used for further malicious activity. Since no authentication was required, attackers could script automated calls to the APIs to exfiltrate large amounts of data, for example all patient records,” he added.
The NHS and Medefer know the identity of the whistleblower, but he has asked to withhold his name from this story. Computer Weekly has seen evidence of conversations between Medefer employees expressing the seriousness of the security problems.
Contract terminated
The whistleblower said: “I found a number of other vulnerabilities and highlighted many issues with how the systems were built, maintained and deployed, which were repeatedly raised over the next two months. Upon, again, raising this with the CEO and threatening to go public my contract was terminated abruptly.”
Nedjat-Shokouhi said this was not the reason the whistleblower was let go, but would not comment further
A statement from Medefer said: “We are taking the matter seriously so that we can provide reassurance to patients and other interested parties. In the interests of transparency, we have notified the Information Commissioner’s Office (ICO) of the allegations and lines of communication remain open. We have also commissioned an independent investigation into the matter to be conducted by a City firm of solicitors with the assistance of external data experts and leading and junior counsel.”
The company added: “To date, we have found no evidence that any patient data has been compromised. We will continue to ensure the highest standards of data security and patient confidentiality are upheld and we will keep the ICO updated, as appropriate. If any weaknesses are found to exist, they will of course be addressed.”
After his contract was terminated, the whistleblower contacted the NHS last month for support and requested it contact him urgently, but he did not receive any acknowledgement or response, he told Computer Weekly.
After Computer Weekly contacted the NHS, a spokesperson said: “We are looking into the concerns raised about Medefer and will take further action if appropriate. Individual NHS organisations must ensure they meet their legal responsibilities and national data security standards to protect patient data when appointing suppliers, and we offer them support and training nationally on how this should be done.”
The NHS was not aware of the Medefer security concerns when Computer Weekly contacted it on 27 February.
Medefer has hired a security firm to produce a report on the API flaw and fix, which is due to report imminently.
The ICO confirmed Medefer made it aware of the investigation into the security problem and said there has been no reported breach. Computer Weekly asked the ICO when it was informed by Medefer of the vulnerability, but said it “would not provide that detail.”
Integrity and ethics in IT
The whistleblower, who said it seems Medefer is now doing the right thing, said the Post Office scandal influenced his decision to speak out when he felt not enough was being done by the NHS, ICO and Medefer. “It’s a matter of responsibility, integrity and ethics,” he said.
Neil Gordon, a professor at the University of Hull and chair of the British Computer Society’s ethics specialist group, said the Post Office scandal has highlighted the important role that IT staff have in alerting employers and authorities to potential problems.
“The Post Office Horizon scandal has starkly demonstrated the critical need for IT professionals to speak up when they identify problems. The destructive consequences of silence are evident in the injustice suffered by so many subpostmasters,” he told Computer Weekly.
“As our reliance on IT systems grows – particularly in safety-critical areas like healthcare and autonomous vehicles – specialists must not only feel empowered to raise concerns but also be heard when they do.”
Gordon said organisations should foster a culture that welcomes internal scrutiny, rather than suppressing it.
