NHS affected by the Capita data breach

Healthcare data breaches

In March 2023, Capita – one of the UK’s most prominent business process outsourcing and professional services companies – experienced two data protection breaches. The Capita data breaches could affect more than half a million UK pension holders, and an undisclosed number of people on benefits. And now it is confirmed that patients have also been affected. 

  • Following a ransomware cyber-attack, criminals exfiltrated some data from Capita’s servers. The breach impacted pension providers across the UK.  
  • The second data breach relates to the use of publicly accessible “unsafe storage” provided by Capita. This breach exposed the benefits data of several local authorities 
  • After the news of these data breaches broke, NHS England also reported a data breach related to Capita. According to reports, on this occasion the security failure involved GP information, not pension data.  

Capita NHS data breach

Capita alerted NHS England to the breach which involves a document containing ‘limited optometry information’ for two patients, and two files containing names and NHS numbers of deceased and de-registered GP patients. 

An NHS England statement on the Capita cyber incident states:  

“NHS England has reported a data breach to the Information Commissioners’ Office following the recent cyber incident involving Capita, who informed NHS England that a document containing limited optometry information for two patients was accessed. Capita has written to the two individuals to notify them and offer support. 

Capita also informed us that two files containing names and NHS numbers of deceased and de-registered patients were accessed. The files identified archived records that related to individuals who had died more than 10 years ago or who have not been registered with a GP in England for more than 10 years. No health data or other patient data was included in the lists or accessed as a result of the incident. 

An independent cyber security expert, appointed by Capita, has not found any evidence that the information has been made available more widely.” 

Commenting on the breach, Kingsley Hayes, Head of Privacy & Data Legislation said:

“While the NHS England breach seems only to have affected two living individuals. We shouldn’t underestimate the distress they are likely feeling knowing that hackers have accessed their personal data.  

“Furthermore, it appears as if this specific breach is linked to the wider cyberattack on Capita’s servers. Until now, we had been led to believe that this violation only affected those customers Capita provides with pension support. With GP files now accessed, does that mean that the Capita data hack is much wider in nature than was first thought?” 

Capita has said that it is working to notify all those affected. At KP Law, our cyber experts are investigating the breach to find out what happened, who is involved, and how the incident affects victims. 

If you receive notification that you are affected by a Capita data breach, register below to join our no-win, no-fee data breach compensation claim. 

In March 2024, our firm changed its name to KP Law. 

Share this article: