Security experts have raised concerns about the risks posed to NHS patient data following the University of Manchester cyberattack.
A report from Independent claimed that data belonging to more than a million NHS patients may have been compromised in the June attack.
The data accessed by the threat actors during the incident reportedly concerns trauma patients and people being treated for injuries sustained during terrorist attacks.
The datasets, collated for research purposes by the university, included NHS numbers and the “first three letters” of patients’ postcodes, according to leaked documents. seen by the publication.
The university has since informed NHS England of the data breach, but a notice to the healthcare provider warned that it was still unclear whether the names of affected patients had been compromised.
This prompted the university to issue a warning that it is possible that “NHS data could be made available in the public domain”.
Similarly, university officials warned that some affected patients might not even know they were in the database because they were not required to provide consent.
Deryck Mitchelson, field CISO at Check Point and former CISO of NHS National Services Scotland, said the incident should serve as a stark warning about the potential risks of data sharing between private organizations and public services.
Three ways to scale your security operations
Why current approaches don’t work, plus three new methods to consider
“The question we must ask is why the university, as a private commercial organisation, had access to the NHS’s personally identifiable information,” he said.
“How many other universities store this type of data on their own servers?
Mitchelson said the university needs to provide clarity on a number of key outstanding questions, such as whether the data was obfuscated or anonymized, whether these data sets were segmented from others and what safeguards The university had in place for the use of research data. .
“When patient information is used for research purposes, there should be as much openness and transparency as possible about that use,” he said.
“All of this sets the stage for much more concerning conversations about data sharing between public and private organizations that need to be addressed. »
ITPro has contacted the University of Manchester for comment on this matter.
Manchester University attack: what happened?
At the beginning of June, the university revealed that he had suffered a “cyber incident” and confirmed that certain systems had been accessed by an unauthorized third party.
As a result of this breach, staff were advised not to download files from university systems in an attempt to back them up.
University officials said the data was “likely copied” in the breach and that the institution was working with authorities to identify the source of the problem. Last week, the university confirmed that data had been stolen.
The incident was initially thought to be linked to a breach at payroll provider Zellis following the MOVEit cyberattack. However, the university has refuted these claims.
To date, the university says it has not yet established the identity of the threat actor(s) behind the attack.
In recent weeks, students and staff at the university have complained about receiving emails from the perpetrators threatening to sell or disclose their personal data unless a ransom is paid.