West Midlands Police Investigates Data Breach at Walsall GP Surgery
West Midlands Police has bailed a 29-year-old woman as part of an ongoing investigation into a data breach at Croft Surgery, a general practitioner’s (GP) office in Willenhall, Walsall. The suspect, described as a staff member not directly employed by the surgery, was arrested on December 16 and accused of theft in connection with the incident.
In a statement released on December 17, Croft Surgery confirmed the breach but provided no further details on the nature of the stolen data or the suspect’s role. The surgery assured affected patients they would be contacted directly and emphasized its commitment to data protection. Local news outlet Express & Star first reported the arrest, noting the woman was assisting police with inquiries.
While the exact scope of the breach remains unconfirmed, past incidents at GP surgeries have involved the theft or mishandling of personal and sensitive medical records. West Midlands Police indicated additional details may be released later, though delays are expected due to high demand on their communications team.
In a separate but notable development, Chief Constable Craig Guildford admitted this week to using Microsoft Copilot to generate a report that influenced the force’s decision to ban Maccabi Tel Aviv football fans from a match at Aston Villa’s stadium in November. The AI-generated report falsely referenced a non-existent match between Maccabi and West Ham United and warned of potential violence a claim later revealed to be an AI hallucination. The decision has since drawn criticism, with Guildford issuing an apology for the error.
Guildford remains in his position but is set to meet with Simon Foster, the West Midlands Police and Crime Commissioner, on January 27 to address the fallout. Foster has stated he will review the matter thoroughly, citing his duty to hold the Chief Constable accountable. West Midlands Police expressed regret for the mistake, affirming no intent to distort facts or discriminate.
Source: https://www.theregister.com/2026/01/15/woman_bailed_following_doctors_office/
Croft Medical Centre cybersecurity rating report: https://www.rankiteo.com/company/croft-medical-centre
"id": "CRO1768486647",
"linkid": "croft-medical-centre",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': True,
'industry': 'Healthcare',
'location': 'Walsall, UK',
'name': 'Croft Surgery',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Patients who may have been affected will be contacted '
'directly.',
'data_breach': {'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Data',
'Sensitive Medical Data']},
'date_publicly_disclosed': '2023-12-17',
'description': 'A 29-year-old woman, a member of staff not directly employed '
'by Croft Surgery, was arrested and bailed as part of an '
'investigation into a data breach at the Walsall GP surgery. '
'The nature of the breach and types of data stolen have not '
'been confirmed.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True},
'investigation_status': 'Ongoing',
'motivation': 'Theft',
'references': [{'source': 'The Register'}, {'source': 'Express & Star'}],
'regulatory_compliance': {'regulations_violated': ['UK Data Protection Act',
'GDPR']},
'response': {'communication_strategy': 'Direct contact with affected patients',
'law_enforcement_notified': True},
'threat_actor': 'Insider Threat',
'title': 'Data Breach at Croft Surgery in Willenhall',
'type': 'Data Breach'}