List of UK healthcare companies that are not “secure by default”

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes	The site is secure, loaded via https
Dual	The site can be loaded via http, or via https.
Invalid	The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial	The site loads via https, but loads some parts of the page without https. The site is insecure.
No	The site is loaded via http, not via https.
Fixed	The site is loaded via https, but at the time of first writing it was loaded via http.
??	We could not find a website to evaluate.

We tested 24 healthcare companies. We found 2 healthcare companies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 8% of UK healthcare companies have security vulnerabilities.

Healthcare company	Secure	Home Page
Aviva Healthcare	Yes	https://www.aviva.co.uk/
AXA PPP	Yes	https://www.axappphealthcare.co.uk/
Benenden Healthcare Society	Yes	https://www.benenden.co.uk/
Birmingham Hospital Saturday Fund	Yes	https://www.bhsf.co.uk/
Bupa	Yes	https://www.bupa.co.uk/
CS Healthcare	Yes	https://www.cshealthcare.co.uk/
Engage Mutual Assurance	Yes	https://www.onefamily.com/
Exeter Family Friendly	Yes	https://www.the-exeter.com/
General & Medical Healthcare	Yes	https://www.generalandmedical.com/
Health-on-Line	Yes	https://www.health-on-line.co.uk/
Healthshield	Yes	https://www.healthshield.co.uk/
HSF	Yes	https://www.hsf.co.uk
Insurety	No	http://www.april-uk.com
Medicash	Yes	https://www.medicash.org
National Friendly	Yes	https://nationalfriendly.co.uk/
Saga	Dual	http://www.saga.co.uk
Secure Health	Yes	https://www.securehealth.co.uk/
Sovereign Health	Yes	https://www.sovereignhealthcare.co.uk/
Simply Health	Yes	https://www.simplyhealth.co.uk/
Vitality	Yes	https://www.vitality.co.uk/
Westfield	Yes	https://www.westfieldhealth.com/
WHA	Yes	https://www.whahealthcare.co.uk/
WHCA	Yes	https://www.orchardhealthcare.co.uk/
WPA	Yes	https://www.wpa.org.uk/

Commentary

Saga’s website is avialable via http and via https. This should be https only.

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Guest posts

No, we’re not interested in having a guest post about finance related topics. These articles are about security, not finance.

Original post

This post was originally published 15 Dec 2017 on the softwareverify.com blog. We moved these posts to this dedicated domain 27 March 2025.