Cyber Incident Victim: National Health Service

On or around August 10, 2017, an attacker claiming affiliation with the hacking collective Anonymous breached the systems of SwiftQueue, a private contractor providing appointment booking services to eight NHS trusts. The attacker exploited unpatched vulnerabilities in SwiftQueue’s software, which security updates should have addressed years earlier, gaining access to a database containing administrative patient records. While the hacker initially claimed to have stolen 11 million records, including passwords, SwiftQueue’s investigation revealed only 32,501 lines of administrative data were compromised. This dataset included patient names, dates of birth, phone numbers, and email addresses but did not contain medical records or unencrypted passwords. The breach impacted data associated with a single NHS trust, though SwiftQueue declined to publicly identify the specific trust or confirm the exact number of affected individuals.

SwiftQueue detected and contained the breach within three hours, notifying the Metropolitan Police Cyber Crime Unit via Action Fraud on August 10. The Metropolitan Police launched an investigation but made no arrests. SwiftQueue initiated contact with affected patients, clarifying that some compromised data represented test entries for "dummy" patients. NHS Digital confirmed the breach’s limited scope, emphasizing no medical information was accessed. The incident occurred three months after the WannaCry ransomware attack disrupted 47 NHS trusts, exacerbating concerns about systemic vulnerabilities. An earlier NHS Digital review had identified unpatched systems and weak passwords across NHS organizations, underscoring persistent security shortcomings. Patient advocacy group MedConfidential criticized SwiftQueue’s security practices and urged the NHS to enforce stricter data protection standards for third-party suppliers.