Security experts have raised concerns about the risks posed to NHS patient data in the wake of the University of Manchester cyber attack.
A report from the Independent claimed that data belonging to more than one million NHS patients may have been compromised in the June attack.
Data accessed by threat actors during the incident is believed to pertain to trauma patients and people treated for injuries sustained in terror attacks.
The data sets, gathered for research purposes by the university, included NHS numbers and the ‘first three letters’ of patients’ postcodes, according to leaked documents seen by the publication.
The university has since informed NHS England of the data breach, but a notice to the healthcare provider warned that it is still unclear whether affected patients' names have been compromised.
This prompted the university to issue a warning that there is potential for “NHS data to be made available in the public domain”.
Similarly, university officials warned that some affected patients may not even know they are on the database as they were not required to provide consent.
Deryck Mitchelson, field CISO at Check Point and former CISO at NHS National Services Scotland, said the incident should serve as a stark warning over the potential risks of data sharing between private organizations and public services.
RELATED RESOURCE
Three ways to evolve your security operations
Why current approaches aren’t working, plus three new methods to consider
“The questions we need to be asking is why has the university, as a private commercial organization, had access to personal identifiable information from the NHS,” he said.
“How many other universities have this type of data stored on their own servers?”
Mitchelson said the university must provide clarity on a number of key lingering questions, such as whether the data was obfuscated or de-identified, whether these data sets were segmented from others, and what safeguards the university had in place for the use of research data.
“Where patient information is being used for research, there should be as much openness and transparency about that use as possible,” he said.
“All of this opens up far more concerning conversations around data sharing between public and private organizations which needs to be addressed.”
ITPro has approached the University of Manchester for comment on the matter.
University of Manchester attack: What happened?
In early June, the university revealed it had experienced a “cyber incident” and confirmed that some systems had been accessed by an unauthorized third party.
In the wake of the breach, staff were advised not to download files from university systems in an attempt to back them up.
University officials said that data had “likely been copied” during the breach and the institution was working with authorities to identify the source of the issue. Last week, the university confirmed that data had been stolen.
The incident was initially believed to be linked to a breach at payroll provider Zellis in the wake of the MOVEit cyber attack. However, the university refuted these claims.
To date, the university says it is yet to establish the identity of the threat actor or actors behind the attack.
In recent weeks, students and staff members at the university have complained that they have received emails from the culprits threatening to sell or leak their personal data unless a ransom is not paid.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
NHS supplier hit with £3m fine for security failings that led to attackNews Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cybersecurity teams face unparalleled pressure, but they’re stepping up to the plateNews While cybersecurity teams are contending with rising workloads and chronic staffing issues, new research shows practitioners are still charging ahead and meeting targets.
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
Unlock profitability with Cove Data ProtectionWhitepaper Agile risk management starts with a common language
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Developers can't get a handle on application security risksNews Research by Legit Security shows a majority of organizations have high risk applications in developer environments.
-
UK businesses patchy at complying with data privacy rulesNews Companies need clear and well-defined data privacy strategies
-
CISOs are gaining more influence in the boardroom, and it’s about timeNews CISO influence in the C-suite and boardrooms is growing, new research shows, as enterprises focus heavily on cybersecurity capabilities.
