NHS Patient Data at Risk from Historic Breach: Report

A historic breach at a third-party supplier has put the data of countless NHS patients at risk, according to a new report.

An investigation by the Sunday Telegraph revealed a 2016 breach at online training business Embrace Learning exposed the email addresses and unencrypted passwords of 10,000 public sector healthcare workers.

The risk is that if these affected workers reused their Embrace Learning credentials for their NHS accounts, hackers could theoretically have used them to break into networks in search of lucrative patient data.

Some 19 NHS trusts and organizations including local councils were affected, none of which were aware of the breach when contacted by the paper.

A statement from the distance learning company confirmed the historic breach and claimed there had been “no successful attacks on our servers since new measures were implemented in 2016.” However, that doesn’t cover the possibility of other organizations being affected by the password theft.

“On reflection, our security measures at that time were clearly not sophisticated enough to prevent data being stolen,” it noted.

“The breach prompted immediate action. In consultation with our ISP UKFast, we significantly increased the level and sophistication of security and encryption. Since then we have taken further measures to protect data from increasingly sophisticated hacking attempts.”

The hope is that the trusts affected operate a policy of regularly enforcing password changes, or else require 2FA for log-ins, both of which would largely mitigate the threat.

Cumbria Partnership NHS Foundation Trust, which had passwords stolen from 200 employees, told the paper it has contacted each member of staff affected.

“As a trust we take data security very seriously and as such all staff are forced to change their passwords regularly therefore we are confident that our staff details remain safe,” it said. “We have robust policies and processes in place and regularly update our staff of the importance of all types of cybersecurity.”

Jamie Graves, CEO of ZoneFox, said the case highlights the complexity and cyber-risks involved in modern supply chains.

“Robust company-wide education programs are vital for safeguarding confidential data,” he added. “What's more, robust password managers are a must for anyone, not least our front-line NHS staff whose life-saving work inevitably entails access to sensitive patient data."

What’s Hot on Infosecurity Magazine?