FAQs about the Cambian data breach 


Vulnerable individuals were put at risk following a hack at social care provider Cambian. The security threat happened after Cambian Group discovered “unauthorised activity” on its computer systems back in January 2023. Personal, medical, and financial information was compromised in the breach and was later found on the dark web. Months after the hack, this information was still for sale online.  

Following the Cambian breach, our data protection experts launched a no-win, no-fee group action to help victims claim compensation. You can find out more about our group action here.  

Below, you will find our answers to some of the most frequently asked questions we have received about joining our data breach group action.  

Could victims of the Cambian data breach be at risk?

Unfortunately, yes. We have seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft. This case is especially worrying as Cambian is owned by CareTech, which operates a network of hospitals, schools, and homes for children and adults with learning disabilities, autism, and mental health conditions. As such, vulnerable individuals are at risk.

Cambian has warned those involved in this breach not to search for their information on the dark web, as it could be infected with malware and accessing this data could put them at further risk of cybercrime.

What type of data was stolen?

A significant amount of personal data – including sensitive special category health data – has been put up for sale online following the Cambian data breach. This includes:

      • Parent and student personal details. Including names, dates of birth, home addresses, contact numbers, and email addresses.
      • Next of kin details. Including telephone numbers, and email addresses.
      • Medical data. Such as Educational Health Care Plan reports, GP records, medical notes, diagnosis, and referrals to other medical professionals.
      • Financial and bank details. Including names, sort codes, and account numbers.
      • Foster parent details. Including fostering applications and assessments, bank details, and documents relating to their role as a foster parent.

Teachers and other workers within Cambian’s schools are also affected by this data breach.

Worryingly, Cambian admits that further data could also be affected.

Have there been any reported cases of fraud following the Cambian data breach?

Yes, some of our clients have already experienced fraudulent transactions and have had to change their payment cards and secure their bank accounts. As such, anyone affected by the Cambian hack should be extra vigilant.  

Who is responsible for the Cambian data breach?

The AvosLocker ransomware gang, which has been flagged as a threat by the FBI, is thought to be behind the attack. However, it is unlikely that cybercriminals would have successfully accessed Cambian’s systems if robust data security processes had been in place. As such, Cambian must be held accountable for any losses and distress experienced.   

Was my information accessed in this breach?

Cambian should have informed those affected by the incident. Anyone involved in this data protection failure should immediately take steps to protect themselves. 

Why was I not told about the Cambian data breach immediately?

Initially, Cambian was unable to confirm what data had been compromised in the attack. Once it had established who was affected by the breach, it began the notification process. 

Unfortunately, for some victims, this didn’t happen until months after the data security hack. By failing to take sufficient steps to notify all those involved immediately, Cambian left some victims exposed, as they were not given the opportunity to protect themselves. This has added to their worry now that they have found out about the breach.    

What is a group action?

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions. 

Will I harm Cambian if I make a claim?

We expect our confidential medical data to be taken care of. But the UK health sector accounts for nearly half of all data breaches, and as our health and social care system becomes increasingly digital, there are concerns that the robust protections required are simply not in place.  

Data privacy is often being treated as an afterthought, and while no one wants to sue those working in the sector, making a claim is sometimes the only way to force improvements in data security. It is also worth mentioning that such organisations should be insured against compensation claims. 

How much will it cost me to claim?

There are no costs to join a claim. However, if your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. Our success fee is competitive, and we make sure you are fully informed about any potential costs before you officially join our action. If you lose, you won’t have to pay a penny. 

Can I join the claim if I have not lost any money?

Yes. The emotional impact of the Cambian data breach should not be underestimated.  

We all know the impact that theft can have on a person. Following a burglary, people often feel shock, anger, fear, helplessness, and panic. These feelings might develop immediately or be experienced much later. Cybercriminals are committing theft when they steal personal data, so it is understandable that some people feel distressed.  

When making a compensation award, the court will look at the specific circumstances of your case. This includes things like the sensitivity of the data compromised and the nature of the disclosure. The court may be prepared to award damages even in cases where your fears about what might happen with your data are not rational. Simply the threat of disclosure, and the loss of trust in authorities resulting from a data breach could result in compensation. 

This breach includes special category data. This is personal data that needs more protection because it is sensitive. Under UK law, in addition to the usual data protection rules and regulations, any organisation that processes (uses or holds) special category data must meet additional conditions and safeguards. If special category data falls into the wrong hands, the potential impact to the individuals it is about could be devastating. If Cambian did not have adequate processes and security in place, it could be liable for any distress experienced by victims of the data breach. 

If you are affected by the Cambian data breach, join our no-win, no-fee action and claim compensation for this data protection failure. Because of the nature of this breach, and the sensitivities involved, we can represent you anonymously, and speak on your behalf.    

In March 2024, our firm changed its name to KP Law. 

Share this article: