This week’s cyber briefing: a major attack on a global medical equipment supplier, a new investigation revealing systemic leakage of health research data, and the ICO’s latest enforcement action. Here is what happened...
The biggest story of the week was the cyberattack on Stryker by Handala, a group linked to Iranian intelligence, which caused NHS Supply Chain to place defibrillators and oral swab products under controlled allocation.
Read our blog: the Stryker attack 2026: Iran Attacks Healthcare
An investigation found that de-identified UK Biobank health data – including hospital diagnoses for more than 400,000 participants – had been accidentally published to GitHub and other public repositories on multiple occasions by researchers. Investigators demonstrated that it was possible to partially re-identify a volunteer using only their month and year of birth combined with the published diagnosis data.
In response, UK Biobank issued 80 legal notices to GitHub between July and December 2025 and has since implemented mandatory researcher training and automated scanning tools to detect future exposures. For any organisation handling de-identified health datasets, this is a clear warning: under UK GDPR, data that can be re-identified with reasonable effort is still personal data, not anonymous information, and it must be governed, protected, and monitored accordingly.
The ICO fined Police Scotland £66,000 after it extracted the entire contents of a complainant's mobile phone without appropriate safeguards, then included the unredacted data in a disclosure bundle shared with an unauthorised third party. Breaches of both the Data Protection Act 2018 (Part 3) and UK GDPR were found.
The organisation is not in healthcare, but the failure pattern, disproportionate data access followed by disclosure beyond the intended purpose, is common across all sectors that handle sensitive personal data, including health. Private IT suppliers would not benefit from the same public body discount applied here.
NHS England Digital issued a high-severity cyber alert (CC-4748) for CVE-2026-20127, a critical zero-day in Cisco Catalyst SD-WAN that allows unauthenticated authentication bypass. Exploitation in the wild has been confirmed. Organisations using Cisco Catalyst SD-WAN should apply vendor guidance immediately. Under DSPT Version 8, prompt response to high-severity NHS advisories is an expected standard — not optional.
The Cyber Security and Resilience Bill passed Commons Committee Stage in February and is now awaiting Report Stage. When enacted, it will extend NIS Regulations to a broader range of organisations and strengthen supply chain security requirements. This week's Stryker incident is a live illustration of why those provisions exist. If your organisation is not currently in scope of NIS but supplies services to organisations that are, it is worth assessing your position now.
A busy week, nation-state actors in the supply chain, health records on GitHub, an ICO enforcement action, a maximum-severity zero-day under active exploitation, and legislation moving closer to the statute book. The common thread is that the risks facing NHS suppliers and healthtech operators are becoming more varied, more visible, and harder to defer.
At Periculo, we work with organisations across the NHS supply chain who are navigating exactly this kind of environment, where the threat landscape, the regulatory expectations, and the consequences of getting it wrong are all moving in the same direction at once. The organisations that handle it best tend to be the ones that treat security and compliance as continuous work rather than an annual exercise, and who know where they stand before someone asks them to prove it.