- The NHS would have examined the allegations of a third -party software defect
- Vulnerability of this type could leave the patients exposed
- However, Medefer denies reprehensible acts, says he was not aware of the question
The NHS would have “examined” the allegations according to which a software defect in a virtual reservation provider left the data of the patients exposed for a number of years.
Reports of Computer Let us say that a researcher has found a defect in Medefer, which manages 1,500 NHS references to patients per month, his system allowing patients to reserve virtual appointments with doctors, as well as giving thephysicians access to the data concerned by patients.
However, Medefer software APIs were apparently not properly secure, which means that the sensitive data of the patients could have fallen into bad hands, confirmed the researcher.
Vulnerable patients
The researcher, who wanted to be anonymous, said Computer every week Pirates could target these reported vulnerabilities using “a series of automated tools and techniques” in order to recover personal and sensitive information that could be monetized or used for malicious activity. Since authentication was not required, threat actors could “script automated API calls to exfiltrate large amounts of data, for example all patient files”.
The flaw could have existed for at least 6 years, said the researcher, which means that a large amount of NHS data could be at risk.
However, Medefer says that he heard of the NHS investigation in the media and that he had no prior contact with the NHS on this issue.
“There is no evidence of violation of patient data from our systems at any time. Techradar Pro.
“The external cybersecurity agency said that the allegation that this flaw could have provided access to large amounts of patient data is categorically false, confirmed that all Medefer data systems are currently secure and that patient data without appropriate safety authentication. been confirmed to the action needs.
Health care data is incredibly useful for threat stakeholders, as medical information can be sold on the Dark web, and personally identifiable information (such as names, addresses, emails) can be used in social engineering attacks or identity theft, so that any potentially exposed person must carefully monitor their accounts.
