The NHS is investigating allegations that a software flaw at Medefer, a private medical services company, left patient data vulnerable to potential hacking. Medefer, which manages approximately 1,500 NHS patient referrals monthly in England, addressed the issue shortly after it was discovered in November. However, the software engineer who identified the flaw claims it may have existed for at least six years.

Medefer has denied that the vulnerability persisted for such an extended period and emphasized that there is no evidence patient data was compromised. The company resolved the issue within days of its discovery and, in late February, enlisted an external security agency to review its data management systems. An NHS spokesperson stated, "We are looking into the concerns raised about Medefer and will take further action if appropriate."

Medefer’s platform enables patients to book virtual appointments with doctors and provides clinicians access to relevant patient data. The software flaw, however, reportedly exposed Medefer’s internal patient record system to potential unauthorized access. The engineer who uncovered the issue described his shock, saying, "When I found it, I just thought, 'No, it can’t be.'"

The vulnerability stemmed from improperly secured APIs (application programming interfaces), which facilitate communication between different computer systems. The engineer warned that these APIs could have been exploited by outsiders to access patient information. While he believes it is unlikely that data was stolen, he stressed that a thorough investigation would be necessary to confirm this.

The engineer, who was contracted in October to test the company’s software for flaws, recommended that Medefer bring in an external cybersecurity expert to investigate the issue. He claims this recommendation was not followed. Medefer, however, stated that the external security agency found no evidence of a data breach and confirmed that all systems are now secure. The company described its response to the issue as "extremely open" and reported the matter to the Information Commissioner’s Office (ICO) and the Care Quality Commission (CQC) as a precaution. The ICO has since confirmed no further action is required, as there is no evidence of a breach.

Dr. Bahman Nedjat-Shokouhi, founder and CEO of Medefer, stated, "There is no evidence of any patient data breach from our systems." He confirmed that the flaw was fixed within 48 hours of its discovery, and that the external security agency has refuted claims that the vulnerability could have exposed large amounts of patient data. The agency’s review is expected to conclude later this week.

Cybersecurity experts who reviewed details provided by the engineer expressed concerns. Professor Alan Woodward of the University of Surrey noted, "There is the possibility that Medefer stored data derived from the NHS not as securely as one would hope." He explained that even if the database was encrypted, a flaw in API authorization could potentially allow unauthorized access.

Security researcher Scott Helme added that Medefer, given the sensitive nature of the data it handles, should have engaged cybersecurity experts immediately after identifying the issue. "Even if the company suspected no data was stolen, an investigation by a qualified expert would be advisable," he said.

Medefer, founded in 2013 by Dr. Nedjat-Shokouhi, aims to improve outpatient care and has partnered with NHS trusts across England. The NHS spokesperson reiterated that individual NHS organizations are responsible for ensuring their contracts with private suppliers meet legal and data security standards. "We offer support and training nationally to help them achieve this," the spokesperson added.

The incident underscores the importance of robust cybersecurity measures in safeguarding sensitive healthcare data, particularly as digital health services continue to expand.