What happened
UK healthcare technology firm DXS International, a key supplier to NHS England, disclosed a ransomware attack that impacted its office servers on 14 December 2025. The company promptly contained the incident, engaged external cybersecurity specialists, and notified regulators and law enforcement, including the UK Information Commissioner’s Office (ICO). A threat actor identifying itself as DevMan claims to have stolen 300 GB of data, though that has not been independently verified. Front-line clinical services remained unaffected.
Who is affected
The breach directly involves DXS International’s internal infrastructure and potentially its data holdings. Although NHS clinical services continued operating, the incident underscores exposure within the healthcare supply chain. DXS products are used by around 2,000 GP practices overseeing care for millions of patients, making this a sector-wide concern.Â
Why CISOs should care
Healthcare remains a high-value target for ransomware and extortion actors. Even when primary patient care systems are not disrupted, attacks on third-party vendors can expose sensitive data and erode trust, while triggering regulatory scrutiny and potential fines. This incident follows similar breaches involving NHS-linked suppliers and highlights persistent supply-chain security weaknesses that can ripple into wider health ecosystems.
3 practical actions
- Strengthen vendor risk management: Conduct enhanced due diligence and continuous cybersecurity assessments of all third-party vendors, with contractual requirements for incident reporting and security standards.
- Segment and monitor critical systems: Implement strict network segmentation and real-time monitoring to reduce the blast radius of breaches and detect anomalous activity early.
- Test and rehearse incident response: Regularly exercise cross-organizational incident response plans with key partners to ensure rapid containment and coordinated communication during supply-chain attacks.