What do we now know about the Cambian data breach? 


Earlier this year, children’s social care provider Cambian Group experienced a data security breach after “unauthorised activity” on its computer systems.    

Following the breach, we launched an investigation to find out how this data privacy violation was allowed to happen, and how the security incident affected those who use Cambian’s services.  We have since spoken to the Times about this breach. 

Almost a year on, here’s what we know about the Cambian data breach:  

Highly sensitive data was accessed by cybercriminals

The highly sensitive information exposed in this hack included home addresses, contact numbers, and email addresses. Some medical information was compromised in this attack. This included Educational Health Care Plan reports, GP records, medical notes, diagnosis, and referrals to other medical professions.

Foster parent applications were also breached (By the Bridge Fostering, which is part of the Cambian Group, was also affected by this data security incident).

Financial data was stolen by cybercriminals

Some victims experienced fraudulent transactions and had to change their payment cards and secure their bank accounts following the breach. Cambian has confirmed that financial information has been compromised.  

The information was put up for sale online

Data stolen in this hack was subsequently found on the dark web. This includes:  

      • Parent and student personal details 
      • Next of kin details 
      • Medical data 
      • Financial and bank details 

Months after the hack, this confidential data was still for sale online.  

Cambian failed to inform some victims of this attack for months

Despite becoming aware of the incident at the start of 2023, Cambian took months to inform some of those affected by the breach. In response, as mentioned in the Times, Cambian is now under fire for its response to this cyberattack.  

The breach put vulnerable individuals at risk

Cambian is owned by CareTech. It operates a network of hospitals, schools, and homes for children and adults with learning disabilities, autism, and mental health conditions. Cambian currently looks after 2,100 children across the UK – including foster children, and its services have a specific focus on individuals who present with high-severity needs.   

The fact that these individuals could have their data sold and bought by cybercriminals is extremely worrying

Make a Cambian data breach compensation claim

We expect our confidential medical data to be taken care of, but the UK health sector accounts for nearly half of all data breaches. As our health and social care system becomes increasingly digital, there are concerns that the robust protections required are simply not in place and that data privacy is often being treated as an afterthought.  

It is unlikely that cybercriminals would have accessed Cambian’s systems if robust data security processes had been in place. As such, Cambian must be held accountable for any harm, loss and distress experienced.   

If you are affected by the Cambian data breach, register to join our no-win, no-fee action and claim compensation for this data protection failure.  

Because of the nature of this breach, and the sensitivities involved, we can represent you anonymously, and speak on your behalf.   

In March 2024, our firm changed its name to KP Law. 

Share this article: