NRS Healthcare

NRS Healthcare, a provider of medical equipment (including wheelchairs and hoists) to the NHS and local councils, suffered a cyber security incident on 1 April 2024 when an unauthorized third party accessed its systems. The breach exposed personal and special category data of service users in East Yorkshire, Hull, and North Yorkshire, managed by NHS Humber & North Yorkshire ICB. The incident was reported to the Information Commissioner’s Office (ICO), with investigations involving the National Cyber Security Centre (NCSC) and police. The breach contributed to NRS Healthcare’s financial collapse, pushing it into receivership after a costly cyber attack and unprofitable contracts. While the NHS ICB was the service commissioner at the time, it no longer holds a contract with NRS. Affected individuals were warned about potential fraudulent activity stemming from the breach, with the NHS issuing an apology for the distress caused to patients and families. The exposed data’s sensitivity and the company’s subsequent failure highlight severe operational and reputational damage.

Source: https://www.bbc.com/news/articles/cm2dl92xzjmo

TPRM report: https://www.rankiteo.com/company/nrshealthcare

"id": "nrs3492934092225",
"linkid": "nrshealthcare",
"type": "Breach",
"date": "4/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Service users in East Yorkshire '
                                              '(NHS Humber & North Yorkshire '
                                              'ICB, East Riding of Yorkshire '
                                              'Council, Hull City Council)',
                        'industry': 'Healthcare',
                        'location': 'UK (England and Northern Ireland)',
                        'name': 'NRS Healthcare',
                        'type': 'Private Company (Medical Equipment Provider)'},
                       {'customers_affected': 'Service users in East Yorkshire',
                        'industry': 'Healthcare',
                        'location': 'East Yorkshire, UK',
                        'name': 'NHS Humber & North Yorkshire Integrated Care '
                                'Board (ICB)',
                        'type': 'Government/Healthcare'},
                       {'customers_affected': 'Service users in East Yorkshire',
                        'industry': 'Public Sector',
                        'location': 'East Yorkshire, UK',
                        'name': 'East Riding of Yorkshire Council',
                        'type': 'Local Government'},
                       {'customers_affected': 'Service users in Hull',
                        'industry': 'Public Sector',
                        'location': 'Hull, UK',
                        'name': 'Hull City Council',
                        'type': 'Local Government'}],
 'customer_advisories': 'Affected individuals advised to report fraudulent '
                        'activity',
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (includes special category data)',
                 'type_of_data_compromised': ['Personal data',
                                              'Special category data']},
 'date_detected': '2024-04-01',
 'date_publicly_disclosed': '2024-06',
 'description': 'A cyber security incident at NRS Healthcare, a provider of '
                'wheelchairs and medical equipment to the NHS and local '
                'councils, resulted in unauthorized access to personal and '
                'special category data of service users in East Yorkshire. The '
                'breach was detected on 1 April 2024, and affected individuals '
                'were notified in June 2024. NRS Healthcare subsequently '
                'entered receivership, citing financial losses from the cyber '
                'attack and unprofitable contracts. The breach was reported to '
                'the ICO, NCSC, and police, with investigations ongoing for 12 '
                'months. The NHS and involved councils issued apologies and '
                'advised affected individuals to monitor for fraudulent '
                'activity.',
 'impact': {'brand_reputation_impact': True,
            'data_compromised': ['Personal data', 'Special category data'],
            'financial_loss': True,
            'identity_theft_risk': True,
            'operational_impact': True,
            'revenue_loss': True},
 'initial_access_broker': {'high_value_targets': ['Personal data',
                                                  'Special category data']},
 'investigation_status': 'Ongoing (12 months as of disclosure)',
 'ransomware': {'data_exfiltration': True},
 'references': [{'source': 'BBC News'}],
 'regulatory_compliance': {'regulations_violated': ['UK GDPR',
                                                    'Data Protection Act 2018'],
                           'regulatory_notifications': ['Information '
                                                        "Commissioner's Office "
                                                        '(ICO)']},
 'response': {'communication_strategy': ['Public apology',
                                         'Advisory for affected individuals to '
                                         'report fraudulent activity'],
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True,
              'third_party_assistance': ['National Cyber Security Centre '
                                         '(NCSC)']},
 'stakeholder_advisories': ['NHS ICB apology',
                            'Council notifications',
                            'Fraud monitoring advisory for affected '
                            'individuals'],
 'threat_actor': 'Unauthorised third party',
 'title': 'Data Breach at NRS Healthcare Impacting NHS Wheelchair Service '
          'Users',
 'type': ['Data Breach', 'Cyber Security Incident']}