British police have made a series of arrests over the past few months after people with apparent access to NHS databases allegedly sold fake vaccination status entries on the NHS vaccine passport app.
This week the Metropolitan Police's Cyber Crime Unit declared it had arrested three men after an unidentified NHS trust "noticed a suspicious pattern on some online vaccination records", according to Essex newspaper the Yellow Advertiser.
Two men, aged 23 and 27 and said to be from Ilford in east London, were arrested on suspicion of committing Computer Misuse Act offences. A third man, also from Ilford, was similarly arrested as part of a separate, unconnected investigation. Police raided houses and seized various electronic devices, the force said in a statement sent to The Reg.
Detective Superintendent Helen Rance said: "The staff at both trusts did the right thing and reported their concerns, which has allowed us to fully investigate the circumstances. I want to reassure the public that no systems were hacked into from outside of the NHS networks and the integrity of the NHS systems remains robust."
Jake Moore, global cybersecurity advisor of antivirus firm ESET and a one-time head of digital forensics for Dorset Police, told us: "This is a huge moment for local cyber crime teams who often get a lot of flak for barely being able to tackle even a small percentage of digital crime under limited resources and a lack of centrally held money."
He continued: "Although this wasn't a remote attack, these particular arrests highlight the significance of an insider for such an operation to occur under the radar. Notable surges are often driven by the ease at which criminal gangs can operate but are often far from sloppy in their process. The next step, of course, will be if the police can locate enough digital evidence to prosecute."
The Computer Misuse Act makes it a criminal offence to access a computer system without authorisation. The latest arrests follow a Mail on Sunday investigation in October, where it claimed to have unmasked a Briton using a Telegram account to sell fake vaccine passport entries. Earlier this year the Guardian published a feature highlighting the growing global trade in fake vaccination status passports and apps.
Demand for forged papers could increase after MPs voted to make vaccine passports mandatory this week, with the latest legal regulations being explained by the BBC.
The NHS vaccine passport app was greenlighted in May, despite civil liberties campaigners warning it risked creating social divisions between antivax conspiracy theorists, people opposed to vaccine passports themselves and supporters of the scheme.
Those opposed to vaccine passports have highlighted previous government promises that vaccine passports wouldn't be used as a mandatory condition of entry to social venues, soon ditched when it saw the passports would be useful for slowing the spread of harmful COVID-19 variants.
- The Reg takes the US government's insider threat training course
- Now that's a somewhat unexpected insider threat: Zoombombings mostly blamed on rogue participants, unique solution offered
- If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security
- Computer misuse crimes in UK surge to high not seen since 2017 even as prosecutions slump 20%
NHS England's treatment of patients' personal data during the pandemic has been murky. Palantir, the US surveillance tech business, popped up at the heart of NHS data flows – with the state-owned health organisation being curiously unwilling to say how much data was being handed to Palantir or why. As that was happening, the NHS was also preparing to launch the "biggest data grab" in its history, moving GP patient data from their local surgeries to a central repository. This was temporarily delayed after a public outcry.
Meanwhile the NHS England's former tech arm, NHSX, declared that data harvested from people's phones by its contact-tracing app would be stored for unspecified "research". Having become synonymous with the semi-consensual harvesting and resale of patient data, NHSX was later rebranded as the NHS England Transformation Directorate in November 2021. ®