A HACKER with alleged ties to Anonymous claims to have accessed an NHS database with records on more than one million patients.
SwiftQueue operates an appointment booking service for eight NHS Trusts; it also operates patient-operated check-in terminals in waiting rooms.
An NHS contractor contacted the Metropolitan Police's Cyber Crime unit after it discovered that the website had been breached.
Touché, said the alleged attacker, who contacted The Sun newspaper, saying that people have "a right to know how big companies like SwiftQueue handle sensitive data."
According to the hacker, the attack exploited unpatched weaknesses in SwiftQueue's software. This enabled it to download the company's entire database, containing more than 1.2 million records, including passwords.
SwiftQueue disputes the assertion. It acknowledges that a hack took place, but that its database is not as big as claimed. It says that around 32,500 lines of 'administrative data' were accessed, of which some was test data relating to 'dummy' patients. However, what was accessed does include personal details such as names and dates of birth, but does not include medical records; passwords are encrypted.
No more details, such as which Trust(s) was affected, were shared.
Sam Smith, a coordinator at MedConfidential (a group dedicated to protecting patients' medical records and personal information), told The Sun: ,"Patients will be alarmed that a company trusted by the NHS to hold their private data has been compromised in this way.
"Firms should take every step possible to keep private data secure, which does not appear to have happened in this case... The NHS should be doing more to ensure their suppliers meet the highest possible standards of data security."
SwiftQueue is now informing patients who have been affected.
The NHS was recently granted £21m to improve its cybersecurity, in the wake of the WannaCry ransomware attack. µ
Is restoring from backup really the better than prevention?
Allowed anyone to pinpoint locations visited by customers of SVR Tracking
Hackers gained access to systems using unsecured administrator's account
But Canonical's Mark Shuttleworth doesn't agree