NHS 1.2 million patient name database hacked ‘to expose weaknesses’

The NHS has suffered a data breach in its SwiftQueue appointment booking system whose database contains confidential records on up to 1.2 million people according to an exclusive report in the Sun tabloid newspaper.

The same report quotes SwiftQueue saying its database is not that big and its own initial investigation suggests only 32,501 “lines of administrative data” have been accessed, including patients’ personal details, such as names, dates of birth, phone numbers and email addresses, but not patients’ medical records and that passwords are encrypted.

In typical Sun style, the article identifies the culprit as, “A computer geek with alleged links to global hacking group Anonymous,” and adds that “The firm has called in cops from the Met’s specialist Cyber Crime Unit.”

Patients at eight NHS trusts can use a website managed by SwiftQueue to book GP, hospital or clinic appointments and can check in on arrival at using terminals run by the company..

The Sun reports that it was told by someone claiming to represent Anonymous: “I think the public has the right to know how big companies like SwiftQueue handle sensitive data,” and also told the paper that the hack exploited weaknesses in SwiftQueue’s software, which should have been patched several years ago. They also claimed to have downloaded the company’s entire database, containing 11million records, including passwords — contradicting SwiftQueues reassurances.

The Metropolitan Police told the paper: “The Met’s Cyber Crime Unit received a referral from Action Fraud following an allegation of computer misuse related to a data breach on Thursday, 10 August. Officers are in touch with the organisation affected and are investigating. There have been no arrests and enquiries continue.”

In an email to SC, Thomas Fischer, global security advocate at Digital Guardian said: “Attacks like this remind us that hackers don’t always have to break software, sometimes they merely demonstrate that it is already broken. They will exploit any and all vulnerabilities to gain access to sensitive data, including weak links in the supply chain. Enterprises need to secure every point of access to appropriately protect their customers. While many businesses are placing more emphasis on their own data protection these days, it’s easy to forget third parties pose just as much of a risk to security. Simply assuming that suppliers and partners have adequate protection in place isn’t good enough. Many believe that if third party suppliers and contractors are compliant to one security standard or another, they can be trusted with sensitive data. But being compliant at one point in time is not a true indication of security posture, as it doesn’t take into account any changes in the company’s infrastructure or advancements in attack techniques.”

For one commentator on reddit called Molkotak, the fact that the breach did not include data was, “All we needed to know. Not particularly fond of the idea of someone getting my name and address from my gp website, but it’s not any worse than an ecommerce site being breached just because of a medical association. “

While that may be true in this case, for the data sector, it’s not just databases, but health equipment is also under attack. In a separate report Dutch tech company Philips has acknowledged that a web-based reporting tool that tracks radiation doses delivered by X-ray machines and related devices contains security vulnerabilities that could impact patient confidentiality, system integrity, or system availability.

In an 17 August online vulnerability disclosure, Philips noted that the back-end system for its Philips DoseWise Portal (DWP) uses hard-coded database login credentials, and stores these credentials in clear text. “Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem,” the notification reads.

Attackers with elevated privileges who are able to access the back-end system files can exploit these flaws to infiltrate the database, which contains sensitive patient health information. Philips plans to issue a product update this month to alleviate this problem, but in the meantime users are advised to block Port 1433, except where a separate SQL server is used.