- According to reports, the NHS is investigating the accusations of a third -party software failure
- A vulnerability of this type could leave exposed patients
- However, Medefer denies that he did not realize a problem
According to the reports, the NHS is “investigating” the accusations that a software defect at a virtual reserves provider left the data of the patients exposed for several years.
Reports of Computerweekly Let’s say that an researcher found a defect in Medefer, which handles 1,500 references of NHS patients per month, with their system allowing patients to reserve virtual appointments with doctors, as well as giving access to the damage of relevant patients.
However, APIs in the Medefer software were not apparently insured correctly, which means that patient’s confidential data could have fallen into the wrong hands, confirmed the researcher.
Vulnerable patients
The researcher, who wanted to be anonymous, told him Computer weekly Computer pirates could point to these vulnerabilities reported through the use of “a set of automated tools and techniques” to recover personal and confidential information that could be monetized or used for more malicious activity. Since authentication was not required, threat actors could “guide calls automated to APIs to exfilt large amounts of data, for example, all patient records.”
The defect could have existed for at least 6 years, said the researcher, which means that a large amount of NHS data could be at risk.
However, Medefer says that it was first heard on the investigation of NHS in the media, and that it has not had previous NHS contact on this subject.
“There is no evidence of any patient data violation of our systems at any time. This has been formally confirmed by an independent specialist cybersecurity agency,” said Dr. Bahman Nedjat-Shokouhi, CEO of Medefer. Techradar Pro.
“The external cybersecurity agency has affirmed that the accusation that this defect could have provided access to large amounts of patient data is categorically false, confirmed that all Medefer data systems are currently safe, and that it is not possible No more appropriate action should be taken. “
Medical care data is incredibly valuable for threat actors, since medical information can be sold on the dark website, and personal identification information (such as names, addresses, emails) can be used in social engineering attacks or identity theft, so that any potentially exposed person must control their accounts carefully.
