Cyber Incident Victim: NRS Healthcare
Date:
Mar 2024
Location:
United Kingdom
Summary
NRS Healthcare experienced a cyber-attack resulting in a data breach and operational disruptions, including temporary phone line unavailability and service delays. The company notified relevant authorities and engaged cybersecurity experts to investigate the compromise of personal data, with potential impacts on multiple local authorities and NHS entities. Oxfordshire County Council confirmed data theft occurred during the incident, advising vigilance against scams while awaiting further details on affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The NRS Healthcare cyber incident emerged in late March 2024, with operational disruptions reported by customers as early as March 28 when delivery failures and communication breakdowns began occurring. On April 1, 2024, NRS Healthcare publicly confirmed through a Facebook post that it was experiencing a cybersecurity incident, acknowledging temporary service outages including non-functional phone lines and delayed operations across some systems. The company stated it had informed "all relevant authorities" but provided no technical details about the attack vector or intrusion timeline. Customer complaints documented in Facebook comments revealed widespread service impacts: failed medical equipment deliveries (including risers, wheelchairs, and mattresses), malfunctioning order notification systems, and inadequate incident communication from March 28 through early April. Oxfordshire County Council disclosed on April 1 that NRS Healthcare—its supplier of medical devices, continence products, and assistive technologies—had suffered a data breach during this cyberattack, though neither entity specified when the initial compromise occurred.
NRS Healthcare notified Oxfordshire County Council of the cyber incident on April 2, 2024, and confirmed on May 7 that data exfiltration had occurred during the attack. The company engaged IT and cybersecurity experts to investigate the breach while collaborating with the UK Information Commissioner’s Office, National Cyber Security Centre, and National Crime Agency. Oxfordshire County Council initiated precautionary measures by advising residents to scrutinize unsolicited communications and avoid clicking suspicious links, though neither NRS nor the council identified what specific personal data was compromised. Service disruptions persisted through at least early May, evidenced by unresolved customer equipment issues documented in social media interactions. The council confirmed the breach likely affected multiple local authorities and NHS entities nationwide due to NRS Healthcare’s status as a major supplier of healthcare aids across England. No ransomware claims or attacker identities were disclosed in available reports, and both organizations emphasized ongoing investigations to determine full breach scope and impacted individuals.