API Failings Exposed Patient Data For Years

share
Header image

API Failings Exposed Patient Data For Years

share

Flaw in Medefer’s API exposed patient details.


The NHS is investigating claims by an IT whistleblower that patient data was left vulnerable due to security failures at private healthcare provider Medefer.

According to Computer Weekly, a flaw in Medefer’s API exposed patient details, including names, addresses, NHS numbers, and some doctors' notes, although there is no evidence of data compromise. Medefer fixed the issue within 48 hours of discovery in November 2024 but admitted not knowing how long the vulnerability had existed.

The whistleblower, a software testing contractor, believes the flaw may have been present for at least six years. He reported the issue internally but claims his contract was terminated after raising concerns with Medefer’s CEO. Medefer denies this was the reason for his dismissal.

Unaware of the Issue

The NHS said it was unaware of the issue until contacted by Computer Weekly, but is now looking into the concerns.

Markus Muller, global field CTO at Boomi, called the incident a “stark reminder of the challenges that security leaders face in maintaining the integrity of the entire healthcare system.”

He said: “APIs are critical for real-time medical data sharing, AI-driven diagnostics, and improving patient access to care, but they also introduce risk if they aren’t subject to stringent governance and security controls.

“The challenge is that the sheer number of API connections between both internal and external systems involved in care delivery has made it far more difficult for providers to maintain control with the measures they historically relied on. Healthcare organisations need a more modern, unified approach to API management.”


Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Application Security Published: 7 March Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Europe moves toward teen social media limits

Europe moves toward teen social media limits

 SC Awards Europe: Deadline Extended!

SC Awards Europe: Deadline Extended!

 Open Source Security Risks: Countering the Threat

Open Source Security Risks: Countering the Threat
Your Service Desk is the New Attack Vector

Your Service Desk is the New Attack Vector

 EU flags TikTok, alleging addictive app design

EU flags TikTok, alleging addictive app design

 Russia-linked botnet found on UK firm's server

Russia-linked botnet found on UK firm's server
The 4 Worst Vulnerabilities of 2025 – And How To Boost Patch Management in 2026

The 4 Worst Vulnerabilities of 2025 – And How To Boost Patch Management in 2026