Did a Hacker Steal Over 1 Million UK Health Records?Victim Organization Disputes Report, Says Breach Was Small
A U.K. tabloid newspaper is reporting that a contractor that provides services to the National Health System has been attacked by a hacker who claims to have stolen 1.2 million patient records. But the contractor involved says it was the victim of a much smaller breach and no patient records were accessed.
The Sun reports that SwiftQueue, a vendor of an online appointment platform used by eight NHS trusts, has reported to U.K. law enforcement claims by a hacker who says he exploited vulnerabilities in the contractor's software to access a database containing confidential records on up to 1.2 million NHS patients. The attacker also claims links to the hacker group are Anonymous.
But in a statement provided to Information Security Media Group, SwiftQueue says: "We totally refute the hackers accusation that 'millions of records were stolen.' There were 32,501 lines of administrative data, some of it test data which related to 'dummy' patients', that were accessed. SwiftQueue does not process medical information or does not hold medical data on its servers."
The company adds that when it recently became aware of the cyberattack affecting "a small subset of administrative data sets ... the breach [was] fixed within three hours. No medical records have been illegally accessed and swiftQueue has reported the incident to the Metropolitan Police Cyber Crime Unit who are investigating."
SwiftQueue adds that it's in the process of informing the patients affected and working with the police so it will "not be releasing any further information at this stage."
NHS did not immediately respond to ISMG's request for comment on the claims.
However, NHS Digital told The Sun: "SwiftQueue does not hold medical information, but has told us that one of their databases may have been unlawfully accessed, affecting 32,500 lines of administrative data. This is limited to names, dates of birth, phone numbers and, in some cases, email addresses."
In the U.S., the same affected data is considered protected health information, which when compromised is typically determined to be a health data breach that must be reported under HIPAA requirements to the Department of Health and Human Services.
In another recent healthcare security incident in the U.K., the WannaCry ransomware attacks impacted at least 47 NHS trusts, leading to the cancellation of more than 15,000 appointments and operations, according to The Sun.
U.S. Hacker Breaches
In the U.S, hackers have also been the main culprit in a string of major health data breaches over the last two years (see Wall of Shame Hits New Milestone for Health Data Breaches).
The U.S. federal tally that lists major health data breaches earlier this month hit a new milestone: More than 2,000 breaches affecting 500 or more individuals have been reported since September 2009. A key driver behind the surge in the number of affected individuals is hacking incidents that have been reported since 2015. Those include the largest health data breach reported to date - the cyberattack reported in February 2015 by health insurer Anthem, which resulted in a breach impacting about 78.8 million individuals .
Of about 350 breaches currently under investigation by the U.S. Department of Health and Human Services that have been reported in the last 24 months, 40 percent are listed as involving hacking/IT incident, followed by about 35 percent reported as involving unauthorized access/disclosure, which include incidents potentially involving insiders or external actors. Most of the rest involved lost or stolen unencrypted computing devices.
Since 2009, the approximately 350 reported hacking/IT incidents have impacted about 130.7 million individuals, or nearly 75 percent of those impacted by major health data breaches reported to federal regulators.