In this week's report, we cover: Microsoft security update, which fixes a flaw already being used by attackers; a critical vulnerability in a popular WordPress plugin that is under active attack; a major cyberattack on hospitals in Belgium that caused widespread disruption to patient care; and a police investigation into a data breach at a doctor's surgery in the UK.
Microsoft Releases January 2026 Security Updates, Fixing Actively Exploited Flaw
Microsoft has released its first scheduled security update for 2026. The update fixes 112 security holes in a wide range of its products, from Windows to Office. One of the fixed problems, which could allow an attacker to steal information, was already being used by criminals before the fix was released. This makes it a particularly urgent issue for organisations to address.
Nearly every business and healthcare provider in the UK relies on Microsoft products. When a security flaw is being actively used by attackers, it means there is a real and immediate risk of a cyberattack.
For any organisation that handles patient data, such as NHS suppliers or health tech companies, failing to apply this security update could lead to a data breach and a failure to meet the standards of the Data Security and Protection Toolkit (DSPT).
Recommendations
- Apply the January 2026 security updates to all Microsoft products as soon as possible.
- Make it a priority to patch the systems that are affected by the information disclosure flaw that is being actively exploited.
- Check your security logs for any unusual activity that might suggest attackers have tried to use the publicly known flaws against your systems.
Critical Flaw in Popular WordPress Plugin Under Active Attack
A serious security flaw has been discovered in a WordPress plugin called ‘Modular DS’. This plugin is used on more than 40,000 websites. The flaw is rated 10.0 out of 10 for severity because it allows an attacker to take complete control of a website as an administrator, without needing a password. Criminals have already started using this flaw to attack websites.
Many organisations use WordPress for their websites. If your website is compromised, it could be used to steal customer information, be defaced with other content, or even host fake login pages to trick your visitors. For a digital health company, a hacked website can cause significant damage to your reputation and make it hard for patients and customers to trust you.
- If your website uses the ‘Modular DS’ plugin, you must update it to the latest version (2.5.2 ) immediately.
- If you are unable to update the plugin right away, you should disable it to protect your site.
- Review your website’s user accounts to check for any new or unauthorised administrator accounts.
Belgian Hospitals Hit by Major Cyberattack, Causing Widespread Disruption
A major cyberattack hit several hospitals across Belgium, causing severe disruption to their ability to provide care. The attack was so serious that the hospitals had to turn away ambulances and transfer critically ill patients to other facilities. The IT systems were affected for more than a day, showing how damaging such an incident can be.
This attack is a powerful reminder that cyberattacks can have a direct and dangerous impact on patient safety. Although this happened in Belgium, the tools and techniques used by cybercriminals are the same everywhere. Healthcare organisations in the UK, including NHS Trusts and private clinics, face the exact same risks. A similar attack here could cause chaos for the NHS and put patients in harm’s way.
- Review and test your incident response plan to ensure you are prepared for a large-scale cyberattack.
- Make sure that your most important clinical systems are kept separate from your main computer network to limit the damage an attacker can cause.
- Continue to train all staff on how to spot phishing emails and other common tricks used by attackers, as these are often the starting point for a major incident.
Police Investigate Data Breach at UK Doctor's Surgery
West Midlands Police are investigating a data breach at a GP surgery in Walsall. A woman, who was a member of staff but not directly employed by the surgery, has been arrested and bailed in connection with an alleged theft. The surgery has stated that it will contact any patients who may have been affected directly.
This incident highlights the risk of insider threats within the healthcare sector. Even when individuals are not direct employees, they may still have access to sensitive patient information. For NHS organisations and their suppliers, this situation highlights the critical importance of having strong vetting procedures and strict access controls for all personnel, including contractors and other third-party staff, to ensure compliance with the DSPT.
- Review and strengthen your background check and vetting processes for all staff, including contractors and third-party suppliers.
- Implement the principle of ‘least privilege’ to ensure that staff can only access the data and systems that are absolutely necessary for their roles.
- Monitor for any unusual patterns of data access or activity that could be a sign of an insider threat.
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.