Cyber attack on the NHS: Government Must Have A Solution for Patients’ Concern

A Cyber attack on the NHS occurred again, following a long record of breaches. DXS International, a U.K.-based company, provides healthcare tech for England’s National Health Service (NHS). The company disclosed a cyberattack in a statement on Thursday. Hackers breach the internal servers of a tech provider to Britain’s health service.

As these breaches have a long history, patients are worried that their personal medical information is not kept private between them and their doctors. Between April 2019 and March 2021, there were 866 instances of attacks. In these cases, personal data was emailed or physically posted to the wrong person. Given the long-standing rise in breaches, this question arises: why does the Government not provide a solution to problems in the NHS, one of its most important organizations?

Cyber attack on the NHS: No Responses by DXS

DXS International is a U.K.-based company that provides healthcare tech for England’s National Health Service (NHS). The company disclosed a cyberattack in a statement on Thursday. The company said it experienced a “security incident affecting its office servers,” which was discovered on December 14.  The National Health Service suffered one of the most significant healthcare data breaches in UK history. It compromised the sensitive medical records of approximately 1.8 million patients across 32 NHS trusts. This sophisticated Cyber attack exposed highly sensitive health information. It also disrupted critical healthcare services. The result highlighted systemic vulnerabilities in the UK’s healthcare cybersecurity infrastructure.

The attack began with a highly targeted spear phishing campaign against administrative staff at three major NHS trusts. Attackers impersonated NHS Digital officials. They sent emails requesting urgent verification of credentials due to system upgrades. These emails contained malicious links that installed keylogger malware on vulnerable endpoints. The NHS is blaming a coding error for 150,000 patients in England. The affected patients had requested that their confidential health information be used only to provide them with care.

Cyber attack on the NHS: What Happened to Patients’ Information?

Hackers breach the internal servers of a tech provider to Britain’s health service. A spokesperson for NHS England did not immediately respond to a request for comment about whether patient data has been impacted. DXS said investigations are ongoing. The company is working with NHS cybersecurity teams and external specialists “whose thorough investigations are underway to establish the nature and extent of the incident.” This breach represents a catastrophic failure in healthcare cybersecurity. The NHS holds some of the most sensitive personal data, and this incident demonstrates the urgent need for fundamental reform in how we protect health information in the digital age.

The company’s products integrate with core NHS systems and, according to its own statements, support around 10% of all NHS referrals in England, with its software touching the workflows of millions of registered patients. The company is not a core electronic health record provider and does not hold central medical records. However, some of its systems process the patient data to provide clinical guidance to healthcare providers. Ransomware group DevMan took credit for the breach in a post on its dark web site, seen by TechCrunch, in which the hackers claim to have stolen 300 gigabytes of data from the company.

 Not an Isolated Incident: Successive Cyber-A

ttacks

The Cyber attack on the NHS comes amid heightened concern over attacks on health technology suppliers in the United Kingdom, which have underscored how incidents affecting third-party systems, even when they do not host core records, can have operational implications.

At least one patient died following a ransomware attack on pathology provider Synnovis last year. The attack also cancelled thousands of operations and appointments. Another ransomware attack impacting software supplier Advanced back in 2022 led to the temporary shutdown of the NHS 111 critical service used to triage non-emergency but urgent medical calls. In that incident, doctors, nurses, and other staff had to use pen and paper to complete their work due to disruptions to IT systems. It provoked a crisis management. The officials feared the effect the attack could have on patient care. ICO fined Advanced £3 million for its security failings.

More Breaches: More Data Revealed

A cyberattack shared the private data of thousands of NHS patients with strangers. For instance, it revealed information about a person’s HIV status, The Independent has learned. In another example, strangers turned up at a woman’s door to let her know her private details, including her home address. In some cases, the NHS has had to pay thousands of pounds in compensation for errors that, once brought to light, will shake confidence in the health system’s ability to handle patient data responsibly.

The latest statistics from the Information Commissioner’s Office (ICO) show that there were 3,557 personal data breaches across the health sector in the two years to 31 March this year. Not all data breaches need to be reported, so the total is likely to be much higher.

Long History of Breaches: No Lessons Learnt from Past

Between April 2019 and March 2021, there were 866 cyberattacks which led to emailing or physically posting personal data to the wrong person. Other errors included losing paperwork or devices such as laptops. On other occasions, staff verbally revealed incorrect information. Moreover, in 12 cases, Cyber attack on the NHS deliberately altered data without consent.

According to the ICO, there were more data breaches across the health sector during 2019-20 than in any of the other public, private, and charitable sectors it examined. The breaches included 456 instances in which the wrong recipient received another patient’s data. There were 225 cases in which private information was either stolen, lost, or left in an insecure location.

Now, after this disaster has occurred, the officials’ constant emphasis that medical services have not been disrupted cannot sideline the main issue, because medical data—unlike systems and services—are neither replaceable nor can the damage caused by their disclosure ever be fully remedied.”

Now, after another Cyber attack on the NHS, following a long history of breaches, officials may insist that medical services have not been disrupted. However, they cannot deny the fact that patients’ medical data has once again been exposed to serious risk. This issue raises questions about the security of the NHS’s digital systems and damages public trust in the Government.