Cyber Incident Victim: King Edward VII’s Hospital

In early October 2023, King Edward VII’s Hospital in London experienced a significant IT security incident involving the unauthorized access of its systems by a third party. The hospital was alerted to the situation immediately and, due to existing security measures, was able to take steps to contain the incident very shortly after it occurred. The incident resulted in a third party copying a small amount of data from the hospital's IT infrastructure. While the majority of the copied data was internal hospital systems data, the breach did include some patient personal data. This compromised information consisted of confidential medical details found in documents such as doctors’ letters and pathology reports; the hospital confirmed that no financial or payment data was involved in the breach. The attack also affected the hospital's website, though patient care and services continued largely as normal throughout the event.

An investigation confirmed that fewer than one per cent of the hospital’s patients were affected by the data breach. The hospital’s chief executive, Justin Vale, notified these individuals via letter, warning them of the risk that their data could be misused. As a protective measure, the hospital offered affected patients free identity and credit monitoring services to help safeguard them from potentially fraudulent activity. The incident drew the attention of national authorities, prompting an investigation by the National Cyber Security Centre (NCSC), a part of the GCHQ spy agency, and the police. It was understood that the medical data of the Royal family, who are frequent patients at the hospital, was held separately and remained unaffected. The hospital issued a public apology for any concern caused and emphasized that the vast majority of patients were not impacted in any way.