The NHS is investigating claims made by a whistleblower regarding a security flaw at Medefer, an online healthcare provider working with the NHS. The whistleblower alleged that a flaw in the company’s application programming interface (API) exposed NHS patient data. Medefer, however, has denied the claims and insists that the vulnerability has been addressed.
When a patient is referred to Medefer for an online appointment, the company receives patient data from the NHS’s e-referral system (e-RS) or the NHS Spine, which is then made available to medical professionals for consultations.
The whistleblower, a software testing contractor, claimed that in November last year, he alerted Medefer management to a flaw in the API that could have allowed unsanctioned access to NHS data within the company’s internal patient record system. The vulnerability, according to him, could have been exploited by malicious actors who, using automated tools, could have exfiltrated sensitive data.
“Hackers target vulnerabilities such as this using a suite of automated tools and techniques to retrieve private and sensitive information that could be monetized or used for further malicious activity,” the whistleblower told Computer Weekly. “Since no authentication was required, attackers could script automated calls to the APIs to exfiltrate large amounts of data, for example, all patient records.”
In response to the allegations, Dr Bahman Nedjat-Shokouhi, CEO of Medefer and NHS consultant gastroenterologist, stated that the vulnerability was fixed within 48 hours of being reported. He emphasized that an independent specialist cybersecurity agency had investigated the issue and confirmed that no patient data had been breached.
Categorically False Allegations
“The external cybersecurity agency has asserted that the allegation that this flaw could have provided access to large amounts of patients’ data is categorically false,” Nedjat-Shokouhi said. “It confirmed that all of Medefer’s data systems are currently secure and that it is not possible to access any patient data without appropriate security authentication.”
Medefer also said that only limited data (names, addresses, NHS numbers, and some doctors’ notes) might have been exposed, not full medical records.
Medefer has also voluntarily notified the Information Commissioner’s Office (ICO) and the Care Quality Commission (CQC) to maintain transparency and ensure appropriate governance standards are upheld. Nedjat-Shokouhi stated that the ICO had confirmed that no further action was needed as there was no evidence of a data breach.
Committed to Data Security
“We have acted transparently throughout this process,” he added. “Even though no evidence of a data breach was found, we completed NHS England’s information governance incident reporting tool promptly and voluntarily entered into correspondence with our regulators, the ICO, and the CQC.”
Despite the company’s assurances, it is the whistleblower’s contention that the vulnerability had likely existed for several years, and having raised the issue several times with management, his contract was terminated abruptly. Medefer’s CEO denied that the termination was related to the whistleblower’s actions, although he declined to provide further details.
Medefer also said it conducts regular external security audits and penetration tests as part of its ongoing commitment to data security and is committed to ensuring the highest standards of data security and patient confidentiality. Nedjat-Shokouhi noted that a recent penetration test, conducted only months before the vulnerability was discovered, did not uncover any issues.
The NHS has acknowledged the concerns raised and is looking into the matter. If necessary, further action will be taken to ensure the security of NHS patient data.
A Growing Problem
Tim Erlin, Chief Product Officer at Wallarm, says APIs are designed to share data, so an API that doesn’t require authentication is very attractive to bad actors. “Missing authentication on APIs isn’t new, but it’s a growing problem. Wallarm’s API ThreatStats report points to broken access control as the root cause in four of the top five API breaches from 2024.”
Too often developers rely on the authentication at the application layer, Erlin adds, while forgetting that APIs share sensitive data as well. Organizations really must have a complete inventory of their APIs and the sensitive data they expose in order to identify and remediate these issues.
Identifying Exposures in APIs
Security leaders face challenges when it comes to maintaining the integrity of the entire healthcare system, adds Markus Muller, Global Field CTO at Boomi. “APIs are critical for real-time medical data sharing, AI-driven diagnostics, and improving patient access to care, but they also introduce risk if they aren’t subject to stringent governance and security controls.”
Muller says bad actors are experts in identifying exposures in APIs and finding ways to exploit them through any weaknesses, including outdated security controls and missing or weak authentication. “The result can be anything from unauthorized access to medical records to patient data being encrypted and held to ransom. Healthcare providers must take a zero-tolerance approach to managing these security risks.”
The challenge, adds Muller, is that the sheer number of API connections between both internal and external systems involved in care delivery has made it infinitely more difficult for providers to keep control with the measures they have relied on in the past. “Healthcare organizations need a more modern, unified approach to API management. They need the ability to see all of their connections in one place and apply federated governance across the entire ecosystem to make APIs ‘secure by default.’ This makes it more difficult for unmanaged APIs to slip below the radar while making it easier to prevent vulnerabilities from being exposed.”
Stamp it Out Immediately
“As any good GP would say, prevention is always better than cure,” adds Graeme Stewart, Head of Public Sector at Check Point Software. “The second a flaw appears in a system holding sensitive patient data, it needs stamping out – immediately. But the bigger question this raises is – is it really best for organizations to ‘mark their own homework’ on cybersecurity? The NHS says there is ‘no breach,’ yet how can anyone be sure if it is just an internal review?
“Let’s be honest: NHS bosses will have to keep outsourcing for rapid improvements, so more incidents like this are bound to happen. We need a system the public can truly trust. Perhaps the NHS outsourced providers – and similar sectors like education – should be contractually forced to let third parties test their systems before using live public sector data, and an independent body should investigate,” Stewart adds.
“Ultimately, when sensitive health data goes wrong, it can be catastrophic for people’s lives. That is why rigorous testing, regular audits, and bulletproof incident-response plans must be non-negotiable,” Stewart continues. “That back-end approach, under proper scrutiny, could be the ‘apple a day’ that keeps frontline doctors and nurses away from getting dragged into cybersecurity chaos – the kind that can force hospitals back to pen and paper.”
A Strong Need for Privacy
Jamie Beckland, Chief Product Officer at APIContext, says medical records have a strong need for privacy. “As the healthcare ecosystem implements more interoperability, personal health information (PHI) is transmitted through APIs. Medefer could have protected internal systems from receiving PHI by using the Fast Healthcare Interoperability Resources (FHIR) standard for APIs. FHIR was developed to ensure that PHI is protected between internal and external systems.
“Even before deployment, it’s easy to test against the FHIR standard with API conformance testing, which would have immediately flagged the issue. Healthcare IT teams should include API conformance testing to demonstrate regulatory compliance, and also because it’s the right thing to do to protect patient data,” Beckland ends.
Information Security Buzz News Editor: Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
