Anonymous hacker says they stole 1.2 million NHS patients’ data

Third-party software vendor disputes the breach’s nature and scale.

David bisson
David Bisson

Anonymous hacker says they stole 1.2 million NHS patients' data

A member of the Anonymous hacking collective claims to have stolen data belonging to 1.2 million patients of the United Kingdom’s National Health Service (NHS).

The breach affected swiftQueue, a software provider of dashboard and metrics solutions to healthcare clinics. Currently, the vendor manages the websites of eight NHS facilities. Patients of those health centers can use the swiftQueue-managed site to schedule appointments and check in at waiting rooms.

Naturally, swiftQueue requires patients to submit their personal information in order to complete a transaction. Its software therefore constitutes a treasure trove of data for attackers… that is, if they can find a flaw to hack their way in.

Well, it appears that’s exactly what happened.

An unknown hacker who says they are associated with Anonymous claims to have exploited unpatched software vulnerabilities in swiftQueue’s software to steal a database containing 11 million records, including the passwords and personal data (names, birth dates, phone numbers, and email addresses) of 1.2 million NHS patients.

Anonymous hacker says they stole 1.2 million NHS patients' data

As the individual told The Sun:

“The public has the right to know how big companies like SwiftQueue handle sensitive data. They can’t even protect patient details.”

The Metropolitan Police learned of the attack on 10 August at the referral of Action Fraud. At this time, its officers are investigating the scope and nature of the breach.

It’s a good thing, too, as there appears to be some dispute involving the hack.

Sign up to our free newsletter.
Security news, advice, and tips.

Indeed, swiftQueue told the media that an unauthorized party accessed only “32,501 lines of administrative data,” which is presumably nowhere close to 11 million records. This information, according to the company, also doesn’t contain patients medical records, stores encrypted versions of users’ passwords, and even includes data belonging to “dummy” patients.

Thus far, it appears the breach has affected only one NHS facility. Such an impact, if true, is considerably smaller than the damage that WannaCry wrought against the United Kingdom’s health service in May 2017. Investigators have not revealed which center this newest incident might have affected, however.

NHS and swiftQueue are currently working together to notify affected victims.

While affected patients wait to be notified, they should exercise digital security common sense by not answering calls from unknown senders or clicking on suspicious links and email attachments. If the hacker responsible for the breach sold the database somewhere on the web, computer criminals could try to conduct secondary phishing and malware attacks against the exposed victims. So stay sharp and think before you click!

Update:swiftQueue has been in touch, with the following statement:

“swiftQueue recently became aware of a cyber-attack which affected a small subset of administrative data sets, with the breach fixed within three hours. No medical records have been illegally accessed by this criminal and swiftQueue has reported the incident to the Metropolitan Police Cyber Crime Unit who are investigating.”

“There was 32,501 lines of administrative data accessed , some of it was test data which related to ‘dummy’ patients. We are in the process of informing the patients affected and working with the police so will not be releasing any further information at this stage.”

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Anonymous hacker says they stole 1.2 million NHS patients’ data”

  1. Jonathan Ashkenazi

    News about NHS breaches have become a weekly matter. Did WannaCry expose the vulnerabilities of their systems or you don't think it's related?

    Also, is there any way to verify the breached company's claims? Did the hackers publish anything to prove the scope they mentioned?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.