Medical data at risk after passwords hacked 10k
Patients’ NHS records open to exploitation after email addresses are put up for sale on the dark web
THE private data of millions of NHS patients may be at risk after a security hack that exposed the passwords of 10,000 care home and hospital staff.
An investigation by The Sunday Tele- graph found that the passwords were stolen in 2016 from Embrace Learning, a Cheshire-based online training business used by healthcare workers, and put up for sale on the internet.
If staff then used the same passwords to access work accounts, it could follow that criminals who bought them will have access to NHS databases.
Medical records on these databases can be worth 10 times more than credit card numbers when sold on the dark web. Fraudsters often buy them to create fake IDs to obtain drugs and medi-
‘Hacking accounts on different websites is possible, as people often use the same password on multiplesites’
cal equipment. They have also been known to use details to make false insurance claims or to blackmail victims.
Mandi McDonald, a former employee of Halton borough council, whose password was stolen, said: “It’s quite alarming. Everyone needs to be more vigilant. They should have done more steps to avoid this.”
Nineteen NHS trusts and organisations have been affected, including the Royal Free Hospital in London and Northampton General Hospital. Databases at local councils including Essex, Halton and Bedford are also at risk.
None of the organisations were aware of the hack until contacted by The Telegraph.
Leonard Cheshire Disability, a health and welfare charity, was a customer of Embrace Learning and had hundreds of passwords stolen. A spokesman said: “We will be investigating. The breach in no way relates to our network which requires more complex passwords that have to be regularly changed.”
Joseph Carson, a cybersecurity expert and chief security scientist at Thycotic, said the company’s failure to encrypt its passwords was like “taking something that’s meant to be a security control and actually making it as weak as you possibly can”.
Embrace Learning courses in health and around £40.
Michael Burke, managing director of Embrace Learning, confirmed that his company’s website had been attacked in 2016, but at the time was unaware that any customer information had been stolen.
The hacker who retrieved the passwords published 500 email addresses and passwords in December 2016, probably to provide a sample to prospective customers looking to buy the full database, experts said.
Sean Sullivan, a security adviser at FSecure, a cybersecurity company, said: “They are typically opportunistic. Sometimes that means selling credentials, but it could also mean using the credentials to hack other accounts on different sites. And that’s possible because people often use the same password on multiple sites.”
An Embrace Learning spokesman said in a statement: “Our security measures at that time were clearly not so- The number of passwords a hacker managed to harvest from a website’s database of health course trainees phisticated enough to prevent data being stolen. The breach prompted immediate action. In consultation with our ISP UKFast, we significantly increased the level and sophistication of security and encryption.
“Since then we have taken further measures to protect data from increasingly sophisticated hacking attempts. There have been no successful attacks on our servers since new measures were implemented in 2016.”
Cumbria Partnership NHS Foundation Trust had 200 passwords stolen in the hack. A spokesman said: “Where we are able, we have contacted each member of staff to inform them of Embrace Learning’s data breach.
“As a Trust we take data security very seriously and as such all staff are forced to change their passwords regularly. We are confident our staff details remain safe. We have robust policies and processes in place and regularly update our staff of the importance of cyber security.
“We would like to make clear that it was not the Trust that was hacked but an external company employed to undertake online training.”