Confidential medical information relating to 150,000 patients of the United Kingdom’s National Health Service has been released because of what has been described as a “coding error” in software provided by a third-party vendor.

The data disclosure came about following an issue in software from healthcare technology solutions provider TPP that ignored Type 2 opt-outs, an option U.K. patients have to keep their medical data private. Instead, their data was shared for clinical auditing and research.

“NHS Digital recently identified a supplier defect in the processing of historical patient objections to the sharing of their confidential health data,” U.K. Health Minister Jackie Doyle-Price said in a statement Monday. “As a result, these objections were not upheld by NHS Digital in its data dissemination.”

Doyle-Price added that despite sharing confidential medical information, “there is not, and has never been, any risk to patient care as a result of this error.”

Jeannie Warner, security manager at WhiteHat Security Inc. told SiliconANGLE that the case once again highlights issues with using outside software.

“The strength of third-party vendor software coding and security is more important than ever as GDPR is in full effect and data privacy concerns mount,” she said. “Especially after last year’s WannaCry attack, basic IT hygiene, as well as vendor vetting, are rising in importance.”

Warner explained that organizations can take steps to prevent data sharing issues through third-party software, including establishing acceptable vendor coding and security standards.

Organizations should “establish controls that third-party vendors must meet before they can be deployed in the organization,” Warner said. In addition, organizations should ask for attestation letters or other certification reviews.

Not least, Warner said, it’s important to communicate the security standards and requirements to the vendors. “Educate them, answer their questions and get their commitment to meeting the standards,” she said. “Establish a timeline to make them achieve compliance if they are not already compliant. Security is a process, but a trusted software partner needs to be as secure as your own internal standards.”

Photo: Wikimedia Commons