NHS is “looking at” those allegations that patient data was left weak for hacking due to software defects in a private medical service company.

The defect was found in Medifer last November, which handles 1,500 NHS patient referrals in England a month.

The software engineer who discovered the defect believes that the problem was present for at least six years.

Medifer says that there is no evidence that the defect was for a long time and emphasized that patient data has not been compromised.

The blame was fixed a few days after the discovery.

In late February, the company commissioned an external security agency to review its data management systems.

A NHS spokesperson said: “We are looking at the concerns raised about Medefer and will take further action if appropriate.”

The system of Medefer allows patients to book virtual appointments with doctors, and provide access to suitable patient data to physicians.

However, the software bug found in November made the internal patient record system of Medefer unsafe for hackers, the engineer said.

The software engineer, who does not want to take the name, was surprised by what he exposed.

“When I got it, I thought ‘No, it could not happen’.

The problem was in bits of software called APIS (application programming interface), which allows various computer systems to talk to each other.

The engineer says that those APIs were not properly secured in Medifer, and possibly accessible by outsiders, who could see the patient’s information.

He said that it was unlikely that the information of the patient was taken from Medefer, but without a complete investigation, the company could not know it certainly.

“I have worked in organizations where, if something like this happens, the entire system will be immediately taken down,” he said.

On searching for the defect, the engineer told the company that an external cyber security specialist should be brought to check the problem, which he says that the company did not.

Medifer says the external security agency has confirmed that it has not found any evidence of any data violation and all the data systems of the company were currently safe.

It says that the process of investigating and fixing the API defect was “extremely open”.

Medifer said that it had explained the issue to the ICO (Information Commissioner’s Office) and CQC (Care Quality Commission), “in the interests of transparency”, and that ICO confirmed that no further action was to be taken as there is no evidence of the violation.

The engineer, which was contracted to test for flaws in the company’s software in October, left the company in January.

In a statement, the founder and CEO of Medifer, Dr. Bahman Nedjat-Shokauhi said: “There is no evidence of any patient data violation from our system.”

He confirmed that the defect was discovered in November and a fix was developed in 48 hours.

“The external security agency claimed that it is alleged that this defect can provide access to large amounts of patients’ data, it is clearly incorrect.”

The security agency will complete its review at the end of this week.

Dr. Nedjat-Shakauhi said: “We take our duties very seriously to patients and NHS. We have regular external security audit of our system by independent external security agencies, on many occasions every year.”

Cyber ​​security experts, who have seen the information supplied by the software engineer, have expressed their concern.

Professor Alan Woodward, a cybercity expert at Surrey University, said, “There is a possibility that the data obtained from NHS has not been safely done.

He said, “The database can be encrypted and all other precautions can be taken, but if there is a way to mess up the API authority, no one knows how potentially can achieve access,” he said.

Another expert said that as soon as the problem was identified, the company should have brought the company to cyber security experts as soon as the medrafer behaves with highly-sensitive, medical data.

“Even though the company suspected that no data was stolen, when an issue could be faced, resulting in data bare, especially with nature data, a suitablely qualified cyber security specialist would be advised to have an investigation and confirmation,” Scott Helm, says a security researcher.

Medefer was founded in 2013 Dr. Nedajat was performed by-Shokauhi, with a goal to improve outpatient care. Since then its technology has been used by NHS trusts across England.

The NHS spokesperson said in a statement that they are responsible for their contracts with the trust private sector.

“Individual NHS organizations should ensure that they fulfill their legal responsibilities and national data security standards for the protection of patient data while appointing suppliers, and we provide them with support and training at the national level.”