NHS data leak raises ‘serious questions’ about Manchester University cyber attack

NHS: Healthcare professional using a tablet denoting a link between technology and the healthcare industry
(Image credit: Getty Images)

Security experts have raised concerns about the risks posed to NHS patient data in the wake of the University of Manchester cyber attack. 

A report from the Independent claimed that data belonging to more than one million NHS patients may have been compromised in the June attack. 

Data accessed by threat actors during the incident is believed to pertain to trauma patients and people treated for injuries sustained in terror attacks. 

The data sets, gathered for research purposes by the university, included NHS numbers and the ‘first three letters’ of patients’ postcodes, according to leaked documents seen by the publication

The university has since informed NHS England of the data breach, but a notice to the healthcare provider warned that it is still unclear whether affected patients' names have been compromised.  

This prompted the university to issue a warning that there is potential for “NHS data to be made available in the public domain”. 

Similarly, university officials warned that some affected patients may not even know they are on the database as they were not required to provide consent. 

Deryck Mitchelson, field CISO at Check Point and former CISO at NHS National Services Scotland, said the incident should serve as a stark warning over the potential risks of data sharing between private organizations and public services. 


Red whitepaper cover with image of office building from the ground up

(Image credit: Trend Micro)

Three ways to evolve your security operations

Why current approaches aren’t working, plus three new methods to consider


“The questions we need to be asking is why has the university, as a private commercial organization, had access to personal identifiable information from the NHS,” he said. 

“How many other universities have this type of data stored on their own servers?”

Mitchelson said the university must provide clarity on a number of key lingering questions, such as whether the data was obfuscated or de-identified, whether these data sets were segmented from others, and what safeguards the university had in place for the use of research data. 

“Where patient information is being used for research, there should be as much openness and transparency about that use as possible,” he said. 

“All of this opens up far more concerning conversations around data sharing between public and private organizations which needs to be addressed.”

ITPro has approached the University of Manchester for comment on the matter.

University of Manchester attack: What happened?

In early June, the university revealed it had experienced a “cyber incident” and confirmed that some systems had been accessed by an unauthorized third party.  

In the wake of the breach, staff were advised not to download files from university systems in an attempt to back them up.

University officials said that data had “likely been copied” during the breach and the institution was working with authorities to identify the source of the issue. Last week, the university confirmed that data had been stolen. 

The incident was initially believed to be linked to a breach at payroll provider Zellis in the wake of the MOVEit cyber attack. However, the university refuted these claims. 

To date, the university says it is yet to establish the identity of the threat actor or actors behind the attack. 

In recent weeks, students and staff members at the university have complained that they have received emails from the culprits threatening to sell or leak their personal data unless a ransom is not paid. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.