FOI/2025/26/084

Request

1. Ransomware incidents (FY2022–FY2025)Please confirm whether any digital systems within hospitals managed by your NHS Trust were affected by ransomware attacks during the financial years 2022–2023 through to 2024–2025 (inclusive).If yes:

• How many separate ransomware incidents occurred within this period?
• For each incident, please provide:

• • The date or month of occurrence
  • A brief description of the nature of the attack (e.g. type of ransomware, point of system entry, services impacted)

 

2. Data breaches following cyber incidents (FY2022–FY2025)

Were any data breaches reported as a result of ransomware or other cyber incidents during this period?If yes, please provide for each breach:

• The type(s) of data affected (e.g. patient records, staff information)
• The specific impacts of each breach, categorised as follows (where applicable):

• • Loss of patient data
  • Loss of staff data
  • Disruption to patient services (please specify which services, if known)
  • Disruption to operational processes
  • Financial impact (e.g. cost of recovery, penalties, compensation, etc.)
  • Other impacts – please specify

 

3. Current cyber security measures (as of date of request)

Please list all cyber security measures and protocols currently in place across the Trust. These may include, but are not limited to:

• Cyber insurance (including provider and coverage if available)
• Internal and external firewall systems
• Use of multi-factor authentication (MFA) for user accounts
• Access control systems for sensitive data and critical systems
• Anti-virus and anti-malware protection
• Cyber security training or awareness programmes for employees
• Regular penetration testing or security audits (please specify frequency)
• Existence and status of an incident response plan (e.g. last updated date)

 

Response

In relation to queries 1,2 and 3 above the Trust is unable to provide a response. We have a legal requirement under part 3 section 10, (1, 2) of The Network and Information Systems (NIS) Regulations 2018, to protect information about the security of our networks, we would not be able to fulfil our requirements of the FOI if in doing so we breach the NIS Regulation. Essentially, we cannot disclose information about incidents or active risks, as in doing so it may put our security at further risk and/or could impact the provisioning or continuity of our essential services.

 

The Trust can neither confirm nor deny the existence of the requested information, the disclosure would be likely to prejudice the effective conduct of public affairs for the Trust, the NHS or any other government department(s) and as such conflicts with Section 36(2c) of the FOIA. The full wording of section 36 can be found here: https://www.legislation.gov.uk/ukpga/2000/36/section/36.