Data security incident at NHS in Bedfordshire
It happened in 2024
Bedfordshire Hospitals NHS Foundation Trust is informing patients and members of the public about a data security incident. Information of this nature can be concerning and the Trust says it wants to explain clearly what has happened, what this may mean for individuals and what actions it's taking in response.
The Trust said:
What happened?
"In June 2024, an organisation that provided essential services to us and other healthcare bodies experienced a major ransomware cyber-attack. This formed part of a wider incident affecting several organisations that support the healthcare sector. During the attack, criminals unlawfully accessed internal systems and extracted a set of files, which were later published on online forums known for sharing stolen data.
"The files taken were not organised as a single database and were highly unstructured, incomplete and fragmented. As a result, it has taken more than a year of detailed analysis by specialist teams at the supplier to reconstruct and understand what information was present and which organisations it related to.
"In October 2025, the supplier informed us that some data relevant to our organisation was included in the material they had recovered and analysed. We have since undertaken our own review of that material. Following this review, we decided that it was appropriate to publish this notice in relation to the incident."
What information was involved?
"The data taken during the incident came from internal administrative files rather than an operational database. It was not structured in the way you would normally expect for a single person’s record. Any personal data within these files is fragmented, incomplete, and dispersed across multiple documents. The information may relate to historic test activities from more than five years ago, prior to November 2020, but the format makes it difficult to interpret or link directly to individuals without significant additional context."
The information involved may have included:
Name
DOB
Patient Number
NHS Number
Postcode
Test results
Based on the supplier’s analysis, the data provided appears to relate to approximately 32,927 individuals
Who is affected?
"Based on the information we have, it’s possible that the data relates to individuals who had laboratory or diagnostic results at Bedford Hospital or Luton and Dunstable Hospital during the period 2011 – 2020. Over the past year, the supplier has analysed and organised the data into a structured format that allows some links to individual records, but this is not how the data appears externally. While these links exist for some, we cannot be certain the data covers everyone, so the Trust has issued a blanket notification to ensure all potentially affected parties are informed."
What this means for you
"Because the data is fragmented, historic and not held in a structured or readily usable format, we believe the risk of it being clearly understood or misused is low. The supplier continues to monitor online forums where the material was published and has obtained a court injunction prohibiting third parties from accessing, sharing, publishing or misusing the stolen data. While the data remains present in those places, publication alone does not mean that it has been used in a harmful way. At this time, we are not aware of any evidence that the information has been accessed or used inappropriately.
"However, as a precaution, there remains a limited risk of unsolicited contact or phishing attempts."
What we are doing
"We take the security of personal data very seriously. Since identifying that the supplier’s incident included data relevant to us, we have:
"Reviewed the material provided by the supplier, including e-discovery analysis conducted by specialist forensic advisers, to understand the potential impact.
"Liaised closely with the NHS England Information Governance team.
"Notified the Information Commissioner’s Office, and we continue to engage with them as part of fulfilling our legal obligations."
What you can do
"As a precaution, we recommend that you
"Remain alert to any unexpected communications asking for personal information
"Avoid clicking on links or opening attachments from unknown sources
"Be cautious of unsolicited calls, emails or texts that reference your information
"We will never contact you to ask for your password or sensitive personal information such as bank details or security codes."
Frequently Asked Questions (FAQs)
Why are we issuing this notification now?
"The original cyber-attack occurred in June 2024. Because the stolen data was highly unstructured and fragmented, it took an extended period of technical analysis to determine what was taken and how it might relate to specific organisations and individuals. Once we were informed that some of this material related to us, we conducted our own review and made the decision to notify."
What does it mean that the data is fragmented?
"The information does not exist as a single, complete record. Instead, it is made up of partial and disconnected pieces of information across many files, which significantly limits how easily it could be interpreted or used."
Does publication online mean my data will be misused?
"Publication does not necessarily mean that it has been accessed or misused. The data is hard to interpret in its current form. To date, we have no evidence of inappropriate use."
What are you doing to prevent this happening again?
"We continue to review our supplier arrangements and internal controls, and we are strengthening oversight and security measures to reduce the likelihood of similar incidents in future."
Support and contact details
If you have any questions or concerns, or would like further information, please contact:
Data Protection Officer: Heidi Walker
Email: [email protected]
You also have the right to raise a concern with the Information Commissioner’s Office.
You can find further information on this cyber incident here:
https://www.england.nhs.uk/synnovis-cyber-incident/