NHS apologizes after cyberattack on wheelchair supplier exposes patient data

The National Health Service has issued an apology after a cyberattack at NRS Healthcare, a medical equipment provider, exposed sensitive patient information in parts of East Yorkshire.

NHS Humber and North Yorkshire Integrated Care Board (ICB) confirmed the breach occurred on April 1, 2024, when an unauthorized third party accessed NRS Healthcare’s systems. The company supplied wheelchairs, hoists, and hospital beds under contracts with the NHS and local councils across England and Northern Ireland.

In June, the ICB, East Riding of Yorkshire Council and Hull City Council were informed that service users in their areas had been affected. The board said it was “sincerely sorry” for the incident, acknowledging the distress the breach may cause to patients and families. The data accessed included both personal details and special category information.

NRS Healthcare, once a key supplier of community healthcare equipment, went into receivership after its accounts revealed losses tied to the cyberattack, alongside financial difficulties linked to local council contracts. The company had reported the incident to the Information Commissioner’s Office and worked with the National Cyber Security Centre and police during the investigation.

According to the ICB, efforts to assess the extent of the breach have been ongoing for the past year. The board stressed that it no longer holds a contract with NRS Healthcare but was the commissioning body at the time of the attack.

Authorities have urged affected individuals to remain vigilant and report any suspected fraudulent activity. “We understand that this may be distressing for both service users and their families,” the NHS board said in a statement.