NHS patient data hacked? 'Anonymous' cybercriminal says 'millions' of records stolen

A hacker with alleged links to the Anonymous, the collective of digital activists, is claiming to have stolen 11 million customer records from a booking system used by the UK's National Health Service (NHS) – but officials warn the figure has been massively exaggerated.

The firm responsible for the system, called SwiftQueue, is contracted by 8 NHS trusts to maintain a cloud-based portal which patients can use to book medical appointments. Upon registration, it asks for a name, password, date of birth, post code, phone number and more.

The hacker, whose identity remains unknown, told The Sun that 11 million records were pilfered from a database by exploiting unpatched software bugs.

"The public has the right to know how big companies like SwiftQueue handle sensitive data," the culprit told the newspaper. "They can't even protect patient details."

SwiftQueue confirmed that a breach took place in August but claimed that the database in question is not that large, meaning the figure could not be true.

It stressed it does not store medical records, passwords were encrypted and the police have been informed.

According to The Sun, the company database holds up to 1.2 million entries.

The stolen data was allegedly hijacked from a single NHS trust – which is yet more evidence that the scale of the breach was over-hyped by the hacker. The identity of the trust has not been revealed.

"We recently became aware of a cyberattack which affected a small subset of administrative data sets, with the breach fixed within three hours," a SwiftQueue spokesperson told IBTimes UK.

"There were 32,501 lines of administrative data, some of it test data which related to 'dummy' patients. We are in the process of informing the patients affected.

"No medical records have been illegally accessed and we have reported the incident to the Metropolitan Police Cyber Crime Unit which is investigating." The leaked data included patient details such as names, dates of birth, phone numbers and email addresses.

A Met spokesperson said it "received a referral from Action Fraud following an allegation of computer misuse [...] on 10 August.

"Officers are in touch with the organisation affected and are investigating. There have been no arrests and enquiries continue."

NHS Digital, which maintains cybersecurity for the British healthcare system, reiterated that the breach was smaller than claimed.

It said that "32,500 lines of administrative data" was accessed and that it would continued to "support SwiftQueue and the NHS as investigations continue."

The NHS remains a prime target for criminal hackers. In May this year, the outbreak of a major ransomware strain known as "WannaCry" infected its computer systems, bringing some operations to a halt. Patients were turned away and appointments cancelled.

The UK's Information Commissioner's Office (ICO), the independent data breach watchdog, did not immediately respond to request for comment.