NHS England has reported a data breach involving GP information after a cyber-attack on Capita, impacting 90 organizations. Initially, Capita claimed the attack was limited to parts of its network with no evidence of compromised data.
However, in May, the company admitted that some data had been exfiltrated, leading to estimated costs of £15-20 million for recovery and reinforcement of cyber security.
The Information Commissioner’s Office advised organizations using Capita’s services to assess their data’s impact. NHS England notified the ICO after Capita revealed that a document containing limited optometry information for two patients had been accessed.
Two files containing names and NHS numbers of deceased and de-registered GP patients were also compromised.
NHS England clarified that the accessed files only contained archived records of individuals who had been deceased or not registered with a GP in England for more than a decade.
No health or patient data was included in the breach, and an independent cyber security expert appointed by Capita found no evidence of wider data exposure.
Capita is actively working with regulatory authorities, customers, suppliers, and colleagues to notify affected parties and address the incident. The company interrupted the unauthorized intrusion, significantly limiting the attack’s impact.
Capita has taken extensive measures to recover and secure customer, supplier, and colleague data, while also addressing any arising issues.
Due to previous issues with Capita’s performance, including delays in pension processing for GPs, NHS England is considering splitting up its primary care support services into separate units when the current Capita contract is re-procured in 2025.
