NHS patients’ data still exposed in ‘honeypot for hackers’ after ‘failing to act’ on cyber attack warnings
The NHS failed to act on warnings over weaknesses in a database housing a million patients’ records before it was hacked and has repeated mistakes potentially leaving millions more records still exposed, it is claimed.
Last year, the Independent exposed a major cyber attack on an NHS database that led to more than one million patients’ records being hacked by cyber criminals.
Evidence obtained by this publication now shows senior NHS officials and the University of Manchester, which was responsible for the database, were warned over security risks and weakness in the platform months before hackers mounted their attack.
Earlier this month, South London hospitals were plunged into chaos after their pathology provider was hacked by Russian cybercriminals, who have since posted patient records online.
And now concerns have been raised that a new system introduced since the cyber attack last year still leaves millions of patients’ private records at risk.
Have you been affected by this? Email rebecca.thomas@independent.co.uk
The Independent can reveal NHS officials were warned in February 2023 that the data was sitting in a platform using old technology and should have been moved to a secure network, called the Health and Social Care Network, to avoid data breaches and external hacking attempts.
The NHS was also warned the platform did not require two-step verification which is often used for securing sensitive databases. The University of Manchester had warnings even earlier from at least December 2022.
The Federation of Clinical Registries (FCR), formed by clinicians who run two dozen of these registries, claims the NHS failed to take sufficient action after the warnings, in an “extremely worrying indication of NHS England’s approach”.
“The NHS’ refusal to respond with appropriate action to a clearly articulated security risk months before the University of Manchester data breach failed to protect the data collection,” an FCR spokesperson said.
The NHS has since moved the previously hacked data into a new system and plans to transfer 36 more patient registries to it too, including information on haemophiliacs, inflammatory bowel disease, cardiac patients and patients suffering from pelvic prolapse and incontinence.
But the FCR has warned NHS officials the plans to do this before weaknesses have been resolved could leave them open to further hacks.
“We have for many months sought clarification of the NHS England plans for the patient data held within clinical registries and the registries themselves,” the FCR told The Independent. “As subject matter experts with decades of experience, the members of the FCR have grave concerns about the lack of engagement with patient representatives and the leaders of the clinical registries.”
Dr Ken Dunn, who runs a national database of patients treated for burn injuries, told The Independent millions of NHS patients’ data will be left exposed in a “hackers honeypot” if moved over to the new system.
“We’ve worked very hard to make patients and clinicians confident that their data is going to be appropriately managed, particularly with things such as haemophilia or bowel incontinence, you don’t want that stuff out there so to have that threatened is very personal.”
NHS England awarded a contract last year to NEC Software Solution for a data platform which is set to house 37 different data sets, called registries, including the National Haemophilic Registry, which was also central to evidence used by the infected blood inquiry. These datasets are considered the highest level of security risk as they include information which can identify patients. The platform already includes databases covering patients with breast implants and those treated for major trauma.
But according to evidence seen by The Independent, this platform sits on the open internet, rather than a secure network, and all those with an NHS email and private hospitals can request access. The platform also does not require two-factor authentication.
On 5 June NHS England medical director, Dr Stephen Powis received a letter from the Haemophilia Society UK in which it warned it is “strongly opposed” to the National Haemophilia Database being moved to the new system and has asked for plans to be halted.
The letter said: “We are deeply concerned at the way in which this proposal has been handled. There has been no consultation with the patient organisations or the National Haemophilia Database (NHD) and no business case has been presented.
“We therefore have no confidence that patient records would be protected...”
“It is important to present and future generations of people with bleeding disorders, not just those harmed through the contaminated blood scandal, that the NHD is protected and its funding enhanced. We must learn lessons from the past and put patient voices at the heart of decision making.”
A UoM spokesperson said: “We were the victim of a cyber-attack in early June 2023. We confirmed at the time that some of our systems had been accessed by an unauthorised party and data was copied.”
It said it took immediate action and eliminated the cyber-criminals from its networks, working with the Information Commissioner’s Office, the National Cyber Security Centre (NCSC), the National Crime Agency and NHS.
An NHS spokesperson said: “Tracking the safety and outcomes of major trauma services remains crucial for patient safety. The NHS is fully committed to meeting the highest standards in cyber security and data protection and the new National Major Trauma Registry, delivered by NEC Software Solutions, meets all appropriate security standards.”
It added that multi-factor verification will be in place for the new system in July.
NEC Software Solutions was approached for comment.
This story was updated at 11:46 on 25 June with an additional comment from NHS England on plans to introduce user verification.
