Did a Hacker Steal Over 1 Million UK Health Records?
Data Breach
,
Electronic Healthcare Records
Victim Organization Disputes Report, Says Breach Was Small
A U.K. tabloid newspaper is reporting that a contractor that provides services to the National Health System has been attacked by a hacker who claims to have stolen 1.2 million patient records. But the contractor involved says it was the victim of a much smaller breach and no patient records were accessed.
See Also: How to Scale Your Vendor Risk Management Program
The Sun reports that SwiftQueue, a vendor of an online appointment platform used by eight NHS trusts, has reported to U.K. law enforcement claims by a hacker who says he exploited vulnerabilities in the contractor’s software to access a database containing confidential records on up to 1.2 million NHS patients. The attacker also claims links to the hacker group Anonymous.
Neither SwiftQueue nor NHS immediately responded to Information Security Media Group’s request for comment on the claims.
The Sun reports, however, that SwiftQueue acknowledges that it recently became aware of a cyberattack, but it claims the breach affected only a small subset of administrative data sets and that the vulnerability was fixed within three hours.
“There were 32,501 lines of administrative data, some of it test data which related to ‘dummy’ patients. We are in the process of informing the patients affected,” SwiftQueue told The Sun. “No medical records have been illegally accessed and we have reported the incident to the Metropolitan Police Cyber Crime Unit, which is investigating.”
NHS Digital told The Sun: “SwiftQueue does not hold medical information, but has told us that one of their databases may have been unlawfully accessed, affecting 32,500 lines of administrative data. This is limited to names, dates of birth, phone numbers and, in some cases, email addresses.”
In the U.S., the same affected data is considered protected health information, which when compromised is typically determined to be a health data breach that must be reported under HIPAA requirements to the Department of Health and Human Services.
In another recent healthcare security incident in the U.K., the WannaCry ransomware attacks impacted at least 47 NHS trusts, leading to the cancellation of more than 15,000 appointments and operations, according to The Sun.
U.S. Hacker Breaches
In the U.S, hackers have also been the main culprit in a string of major health data breaches over the last two years (see Wall of Shame Hits New Milestone for Health Data Breaches).
The U.S. federal tally that lists major health data breaches earlier this month hit a new milestone: More than 2,000 breaches affecting 500 or more individuals have been reported since September 2009. A key driver behind the surge in the number of affected individuals is hacking incidents that have been reported since 2015. Those include the largest health data breach reported to date – the cyberattack reported in February 2015 by health insurer Anthem, which resulted in a breach impacting about 78.8 million individuals .
Of about 350 breaches currently under investigation by the U.S. Department of Health and Human that have been reported in the last 24 months, 40 percent are listed as involving hacking/IT incident, followed by about 35 percent reported as involving unauthorized access/disclosure, which include incidents potentially involving insiders or external actors. Most of the rest involved lost or stolen unencrypted computing devices.
Since 2009, the approximately 350 reported hacking/IT incidents have impacted about 130.7 million individuals, or nearly 75 percent of those impacted by major health data breaches reported to federal regulators.
Watch for updates on this developing story.