The UK’s National Health Services (NHS) said on Thursday it has launched an investigation into a 2024 data leak exposing patient data at NHS healthcare partner Medefer. This is as a whistleblower claims the private health information could have been left unprotected for up to six years.
The publicly funded healthcare system says it is “looking into” claims that an unsecured API on Medefer’s internal network system had left patient data exposed for an undetermined amount of time before it was discovered.
Established in 2013, Medefer is a private medical consulting firm that has partnered with the NHS to help review doctor recommendations for care and speed up the process for patients who need fast access to specialists, testing, and appointments.
Upwards of one in every 82 people in the UK is covered by Medefer’s services, according to a report by HealthTech World.
The data leak itself was exposed by an IT whistleblower while working for the virtual medical concierge, according to Computer Weekly, who first covered the story.
Apparently, any threat actor aware of the open API could have had unauthorized access to the private health data of any NHS patient who was referred to Medefer before November 2024, when the vulnerability was first discovered.
Medefer’s CEO and NHS consultant doctor, Bahman Nedjat-Shokouhi, said the company patched the vulnerability within 48 hours of its discovery and that there was no evidence that patient health data was accessed.
Still, Nedjat-Shokouh told Computer Weekly the company has no way of knowing how long the data had been exposed in the wild.
The whistleblower, who was hired by Medefer as a contract software tester, said they “believed” the API had been exposed for 6 years, the media outlet reported.
“Hackers target vulnerabilities such as this using a suite of automated tools and techniques to retrieve private and sensitive information that could be monetised or used for further malicious activity. Since no authentication was required, attackers could script automated calls to the APIs to exfiltrate large amounts of data, for example, all patient records,” the whistleblower was quoted as saying.
According to the CEO, only “names, addresses, NHS numbers, and some doctors' notes,” were exposed, as opposed to complete medical records.
The company announced it has brought in an independent security firm to review what happened, as well as outside legal counsel for advice.
The unnamed whistleblower, who has since been terminated from their job, told Computer Weekly they had discovered “a number of other vulnerabilities,” repeatedly informing management (including Nedjat-Shokouh) about “issues with how the systems were built, maintained, and deployed.”
The whistleblower said that when they threatened to go public with the information, their contract was “terminated abruptly.” Nedjat-Shokouh, meanwhile, denied the contractor was let go because of exposing vulnerabilities in the system, the report said.
“We are taking the matter seriously so that we can provide reassurance to patients and other interested parties. In the interests of transparency, we have notified the Information Commissioner’s Office (ICO) of the allegations and lines of communication remain open," Medefer said in a statement.
Your email address will not be published. Required fields are markedmarked