The NHS is currently reviewing concerns surrounding a potential software flaw in a private medical services company, Medefer, which may have left sensitive patient data vulnerable to cyber threats. The issue, initially identified in November by a software engineer, has raised questions about the security of patient records handled by the company, which processes approximately 1,500 NHS referrals per month in England.
The engineer who discovered the flaw claims it may have existed for at least six years, a claim Medefer strongly denies. The company has emphasized that there is no evidence of a data breach and that the vulnerability was swiftly addressed within 48 hours of being reported. In response to the concerns, Medefer commissioned an external security agency in late February to conduct a comprehensive review of its data management systems.
An NHS spokesperson acknowledged the issue, stating that the organization is looking into the matter and will take further action if necessary. Medefer’s platform facilitates virtual consultations between patients and doctors, granting clinicians access to medical records. However, the software bug reportedly left Medefer’s internal patient record system susceptible to external access.
The software engineer, who prefers to remain anonymous, expressed shock at the vulnerability, particularly given the sensitive nature of the data involved. He explained that the flaw stemmed from improperly secured application programming interfaces (APIs), which allow different systems to communicate. According to him, these APIs could have been exploited by unauthorized individuals to access patient records. While he believes it is unlikely that data was compromised, he insists that a thorough investigation should have been conducted to confirm this.
“When I found it, I just thought, ‘No, it can’t be,'” he said, adding that in other organizations, such a flaw would have led to an immediate system shutdown for security reasons. Upon discovering the issue, he advised Medefer to engage external cybersecurity specialists to investigate the extent of the vulnerability, but he claims the company did not take immediate action.
Medefer, however, insists that its handling of the issue was transparent and that the external security agency it later engaged found no evidence of a breach. The company also reported the incident to the Information Commissioner’s Office (ICO) and the Care Quality Commission (CQC), with the ICO confirming that no further action was required due to the absence of evidence indicating a breach.
Dr. Bahman Nedjat-Shokouhi, founder and CEO of Medefer, reaffirmed that patient data remained secure. He noted that the security flaw was identified and resolved within two days of its discovery. He also dismissed allegations that the flaw could have allowed large-scale unauthorized access to patient records, citing findings from the external security agency.
Medefer has been a key player in improving outpatient care since its founding in 2013, with its services being widely adopted by NHS trusts across England. The NHS has stated that individual trusts are responsible for ensuring their private sector suppliers adhere to legal and national data security standards.
Cybersecurity experts, however, remain cautious about the situation. Professor Alan Woodward, a cybersecurity specialist at the University of Surrey, pointed out that while Medefer may have taken necessary precautions such as encrypting its databases, the vulnerability in the API could have been exploited if proper authorization controls were not in place. Other experts stressed the importance of bringing in external cybersecurity professionals immediately after discovering a potential data risk, especially when handling highly sensitive medical information.
Scott Helme, a security researcher, noted that even if no data was stolen, any incident involving a possible breach should prompt a full-scale investigation and independent verification. “When facing an issue that could have resulted in a data breach, particularly with sensitive medical data, confirmation from a suitably qualified cybersecurity expert is advisable,” he said.
As the external security agency completes its review, the incident highlights ongoing challenges in securing digital healthcare infrastructure and ensuring that private companies handling NHS data adhere to the highest cybersecurity standards. The findings of the investigation will likely play a crucial role in shaping future regulations and security practices for digital health services in the UK
