NHS Supply Chain Cyber Incidents: DXS and Barts Health Attack

December 2025 saw two significant cyber incidents affecting NHS services through supply chain compromises. DXS International, a GP software supplier serving 2,000 practices and 17 million patients, disclosed a ransomware attack on 18th December. Days earlier, Barts Health NHS Trust revealed that patient and staff data had been stolen and posted to the dark web via an Oracle E-Business Suite vulnerability exploited in August.

These incidents highlight a consistent and uncomfortable reality: NHS organisations are being compromised predominantly through vulnerable suppliers rather than direct attacks on core clinical infrastructure. For NHS suppliers, IT vendors, and healthtech organisations, they provide critical lessons on third-party risk, regulatory expectations, and the urgency of preparing for the incoming Cyber Security and Resilience Bill.

The DXS International Incident (December 2025)

DXS International, a UK-based healthcare technology provider, discovered a security incident affecting its office servers on 14 December 2025. The company provides software that helps reduce costs for GPs and primary care physicians, with approximately 2,000 GP practices using its BestPathway and Next-Gen platforms to oversee care for around 17 million patients.

The ransomware group DevMan claimed responsibility, listing DXS on their dark web leak site on 14 December and alleging theft of 300GB of data with a threatened release date of 20 December.

DXS took swift action to contain the breach, working immediately with NHS England cybersecurity teams. They hired an external cybersecurity firm for a forensic investigation and notified the Information Commissioner's Office (ICO), law enforcement, and relevant NHS bodies. The company stated there was minimal impact on services, with frontline clinical services remaining operational, and indicated no expected material adverse financial impact for fiscal year 2026.

At approximately £3.4 million in annual revenue, DXS is a small but strategically important supplier with significant patient data exposure. The company's financial reports indicate expectations to secure more customers in fiscal 2026/27 due to NHS restructuring driving platform standardisation, making this incident particularly concerning for the sector's future consolidation plans.

The Barts Health Incident (December 2025)

Barts Health NHS Trust disclosed that the criminal group Cl0p exploited a software vulnerability in Oracle E-Business Suite in August 2025, stealing files from the Trust's database. The stolen data, posted to the dark web in November, included names, addresses, and invoices of patients who paid for treatment, staff information for those who paid for services, files spanning several years, and accounting service files for Barking, Havering and Redbridge University Hospitals NHS Trust since April 2024.

Importantly, the Trust's electronic patient record and clinical systems were not affected, and core IT infrastructure was assessed as secure. The data was limited to those able to access compressed files on the encrypted dark web, not on the general internet. The Trust is working with NHS England, the National Cyber Security Centre, and the Metropolitan Police, and has reported the incident to the ICO and relevant regulators while taking steps with suppliers to prevent recurrence.

Barts Health was previously affected by a cyber incident back in July 2023, appearing on the dark web victim blog of Russian ransomware gang BlackCat, which claimed to have stolen over seven terabytes of sensitive data. In response, the Trust rolled out a healthcare-focused cybersecurity platform from Cynerio in November 2024.

Both incidents demonstrate that trusts are being compromised through third-party software rather than direct attacks on NHS infrastructure. Trusts are being compromised because of their vulnerable supply chains.

The Oracle E-Business Suite vulnerability exploited at Barts Health represents a known, patchable security gap. The exploitation of known vulnerabilities in supplier software highlights inadequate vulnerability management across the NHS ecosystem.

Even when core clinical systems remain secure, support systems handling patient data for billing, administration, and services represent significant data breach exposure.

Critical Lessons for NHS Suppliers

Lesson 1: Patch Management is Non-Negotiable

Organisations must implement robust patch management programmes, prioritise security updates for internet-facing and business-critical systems, test and deploy patches within defined service level agreements, and maintain asset inventories identifying all systems requiring patching.

Lesson 2: Assume You Are a Target

Small and medium suppliers must recognise they are valuable targets. Access to NHS patient data makes you attractive to ransomware groups, limited security resources make you easier to compromise than NHS Trusts, you represent a pathway to multiple NHS organisations, and your revenue size is irrelevant to threat actors.

Lesson 3: Incident Response Speed Matters

The swift containment and notification demonstrated in recent incidents represents good practice. Pre-established incident response plans enable rapid action, early engagement with NHS England provides coordination and support, prompt regulatory notification demonstrates accountability, and transparent communication protects relationships with NHS customers.

Lesson 4: Supply Chain Security is Your Responsibility

Recent incidents demonstrate that organisations cannot outsource cyber risk. When compromises occur via third-party software vulnerabilities, NHS organisations will increasingly audit supplier security. DSPT and the Cyber Security Bill will mandate supply chain assessments, and you must validate the security of your own technology suppliers.

Practical Steps for NHS Suppliers

Immediate Actions

Conduct vulnerability assessments to identify and remediate known vulnerabilities in your systems. Review third-party software to assess the security of platforms like Oracle, Microsoft, and other enterprise software. Test incident response plans to ensure you can detect, contain, and report incidents within 24 hours. Implement multi-factor authentication across all critical systems and administrative access, and establish NHS England contact protocols so you know who to notify and how during an incident.

For many NHS suppliers, particularly smaller organisations without dedicated security teams, partnering with a specialist cybersecurity consultancy like Periculo can accelerate these actions. Expert guidance ensures assessments are thorough, response plans are tested against real-world scenarios, and regulatory requirements are met from the outset.

Strategic Initiatives

Invest in endpoint detection and response (EDR) to improve detection of ransomware and lateral movement. Implement network segmentation to limit the impact of breaches to compromised systems. Enhance logging and monitoring to enable forensic investigation and threat hunting. Develop a supply chain security programme to assess and monitor your own suppliers, and engage board-level accountability to ensure executive ownership of cyber risk.

Risks of Inadequate Third-Party Risk Management

Inadequate third-party risk management can lead to direct compromise via supplier vulnerabilities, regulatory penalties for inadequate due diligence, contract termination by NHS organisations, reputational damage from association with breached suppliers, legal liability for consequential damages, and insurance exclusions for known but unmitigated risks.

Key Takeaways

Assume you are in scope—if you handle NHS data or provide services to healthcare, expect regulation. Patch known vulnerabilities immediately, prioritising internet-facing and business-critical systems. Practice incident response and test your ability to detect, contain, and report within 24 hours. Assess your suppliers—if you use Oracle, Microsoft, or other third-party software, validate their security.

Prepare for DSPT audit questions, as these incidents will inform 2025/26 audit focus areas. Monitor the Cyber Security Bill to understand requirements before they become law, and engage with NHS customers proactively to communicate your security posture and build trust.

The Future Regulatory Landscape

The regulatory environment for NHS suppliers is undergoing fundamental change. The Cyber Security and Resilience Bill, currently progressing through Parliament with its second reading scheduled for 6 January 2026, will bring IT suppliers and managed service providers directly into scope for the first time. This means mandatory incident reporting within 24 hours, specific ransomware disclosure requirements, and enhanced enforcement powers for regulators.

Coupled with evolving DSPT requirements that place greater emphasis on supply chain security assessments, suppliers can expect increased scrutiny of their security posture. The incidents at DXS and Barts Health demonstrate precisely why this regulatory tightening is necessary—and organisations that begin strengthening their defences now will find themselves better positioned when these requirements become law.

Managing Supply Chain Complexity

Building and maintaining a robust supply chain security programme is resource-intensive and requires specialist expertise. Periculo offers managed supply chain security services specifically designed for NHS suppliers, handling vendor assessments, continuous monitoring, and compliance validation. This allows organisations to demonstrate due diligence to NHS customers while focusing internal resources on core business activities. With regulatory scrutiny increasing under the Cyber Security and Resilience Bill, having expert support for third-party risk management is becoming essential rather than optional.

The DXS and Barts Health incidents reinforce a clear message: NHS cyber resilience depends on supply chain security. As the Cyber Security and Resilience Bill progresses and DSPT requirements mature, suppliers face an elevated expectation of security maturity. Known vulnerabilities must be patched, incident response must be rehearsed, and supply chains must be validated.

For organisations in the NHS ecosystem, these are not isolated incidents but warnings that the regulatory and threat landscape is fundamentally changing. The window to strengthen defences before the next incident—or the next regulatory enforcement action—is now.