Medefer refutes claim that security flaw left patient data vulnerable

Online healthcare provider Medefer has denied claims from a whistleblower that its application programming interface (API) left NHS patient data vulnerable.

When a patient is referred to Medefer for an online appointment, the firm receives patient data from the NHS’s e-referral system (e-RS) or the NHS Spine to make it available to medics for consultations.

A software testing contractor working for Medefer claimed that in November 2024 he told the firm’s management about a flaw in the company’s API, which meant that NHS data on the internal patient record could potentially be accessed without requiring authentication.

The whistleblower told Computer Weekly: “Hackers target vulnerabilities such as this using a suite of automated tools and techniques to retrieve private and sensitive information that could be monetised or used for further malicious activity.

“Since no authentication was required, attackers could script automated calls to the APIs to exfiltrate large amounts of data, for example all patient records.”

Responding to the claims, Dr Bahman Nedjat-Shokouhi, chief executive of Medefer and NHS consultant gastroenterologist, said that a fix for the vulnerability had been developed within 48 hours of it being reported by the contractor and it had been successfully addressed.

He added that an independent specialist cybersecurity agency has confirmed that there is no evidence of any patient data breach from the firm’s systems.

“The decision to commission independent, external cybersecurity experts to understand the facts around this issue was made immediately, on the day the potential vulnerability was discovered.

“The external cybersecurity agency has asserted that the allegation that this flaw could have provided access to large amounts of patients’ data is categorically false, confirmed that all of Medefer’s data systems are currently secure, and that it is not possible to access any patient data without appropriate security authentication.

“We have acted transparently throughout this process.

“Even though no evidence of a data breach was found, we completed NHS England’s information governance incident reporting tool promptly, and voluntarily entered into correspondence with our regulators, the Information Commissioner’s Office (ICO) and the Care Quality Commission (CQC), in order to ensure that appropriate standards of transparency and governance accountability are maintained.”

He added that the ICO had confirmed that there was no further action required as there is no evidence of a breach of confidentiality.

“As a CQC-registered organisation and publicly funded provider of NHS services, led by NHS physicians, we take our duties to patients and the NHS very seriously.

“We hold regular external security audits of our systems by independent external security agencies, undertaken on multiple occasions every year – with the intention to understand and address any vulnerabilities.

“External penetration testing only a few months earlier had not identified this issue,” Nedjat-Shokouhi said.

A spokesperson for NHS England told Digital Health News: “Individual NHS organisations must ensure they meet their legal responsibilities and national data security standards to protect patient data when appointing suppliers, and we offer them support and training nationally on how this should be done.”

Digital Health News contacted the ICO for comment.