Cyber Incident Victim: University College London Hospitals NHS Foundation Trust

On 28 May 2025, media reports emerged indicating that unauthorized users had accessed a system operated by University College London Hospitals NHS Foundation Trust. The trust confirmed the reports and described the event as a cyber security incident. The compromised system contained information relating to staff mobile devices. Specifically, the data included mobile telephone numbers and the International Mobile Equipment Identity (IMEI) numbers of those devices. The trust explicitly stated that the system did not hold passwords or any patient data. Consequently, there was no evidence that patient information had been accessed or exfiltrated. The trust emphasized that it had found no indication that staff personal data beyond the mobile device identifiers had been compromised.

Upon discovery, the trust took immediate steps to secure the affected system and prevent further unauthorized access. It initiated a thorough investigation into the circumstances surrounding the breach. As part of its response, the trust collaborated with cyber security colleagues from NHS England. The joint effort aimed to assess the scope of the incident, identify any vulnerabilities, and reinforce defenses. The trust also communicated reassurance to patients, confirming that their data remained unaffected. No further details about the attackers, their motives, or the exact timeline of access were disclosed in the statement. The trust affirmed its commitment to maintaining the security of its systems and data moving forward.