This week's report covers: Two critical vulnerabilities in Cisco Secure Firewall software, A Russian state-sponsored attack on Windows systems, A major US healthcare data breach that confirms the ongoing risk in health IT supply chains, and ongoing data breach notifications to thousands of London residents following last year's council cyberattack.
NHS England issued a new cyber alert (CC-4750) on 5 March 2026 for two critical vulnerabilities in Cisco Secure Firewall Management Center (FMC) software. Cisco Secure FMC is used by organisations to manage and monitor their firewalls — the systems that control what traffic is allowed in and out of a network.
Both flaws are rated critical. The first allows an attacker with no login credentials to run their own code on the affected system remotely. The second allows an attacker to bypass the authentication process entirely. Cisco has released security updates to address both issues.
Firewall management systems are some of the most sensitive pieces of infrastructure an organisation runs. An attacker who can access or compromise an FMC could change firewall rules to allow malicious traffic, cut off security protections, or gain a foothold for a wider attack.
Many NHS trusts and their IT suppliers use Cisco security products to protect clinical networks. The fact that NHS England has issued a direct alert for this vulnerability makes it a high priority for any health or care organisation running Cisco Secure FMC. Under DSPT requirements, patch management for critical systems should be treated as time-sensitive.
Security researchers have confirmed that APT28, a cyber espionage group linked to Russian military intelligence, was behind attacks that exploited a high-severity flaw in Windows before Microsoft released a fix. The vulnerability is tracked as CVE-2026-21513 and affects the MSHTML component — the part of Windows that handles how web content is rendered.
APT28 used specially crafted Windows shortcut files (LNK files) to trigger the flaw. When a victim opened one of these files, the attack bypassed security protections, including the "Mark of the Web" warning that normally alerts users to potentially dangerous files downloaded from the internet.
Microsoft patched this vulnerability as part of its February 2026 Patch Tuesday update. However, the full picture of how it was exploited only became clear in March 2026 when Akamai researchers published a technical analysis.
APT28 is a well-resourced threat group with a long history of targeting government bodies, defence organisations, critical infrastructure, and healthcare providers across Europe. The UK is a known target for Russian state-sponsored cyber operations.
This attack requires user interaction — typically opening a malicious file — but the bypassed security controls make it more dangerous than a typical phishing attachment. Organisations that have not yet applied Microsoft's February 2026 security updates remain at risk.
For NHS suppliers and health organisations, where staff routinely handle email attachments and documents from external parties, this is a credible risk.
TriZetto Provider Solutions, a US-based healthcare IT company owned by Cognizant, has confirmed that attackers stole the personal and health data of more than 3.4 million people. The breach began in November 2024 but was not discovered for almost a full year, with suspicious activity only identified in October 2025.
The stolen data included names, addresses, dates of birth, Social Security numbers, health insurance information, Medicare beneficiary numbers, and provider details. Affected clinics only began receiving notification letters in early February 2026, and the full scale of the breach was confirmed in March 2026.
TriZetto processes insurance eligibility checks and revenue cycle management on behalf of thousands of healthcare providers, making it a core part of the US health IT supply chain.
While TriZetto operates primarily in the United States, this incident is directly relevant to UK digital health organisations for several reasons.
First, it demonstrates how deeply embedded healthcare IT suppliers hold sensitive patient data — often without the direct oversight of the health providers they serve. This mirrors the risks in the UK's own NHS supplier ecosystem.
Second, Cognizant operates globally, including in the UK. Any organisation that uses Cognizant or its subsidiaries for IT services should consider whether similar risks exist in their supply chain.
Third, the breach went undetected for nearly a year. This is a strong reminder that monitoring and logging — key requirements under the NHS DSPT — must be active and regularly reviewed, not simply checked as boxes on a compliance form.
Several West London councils, including Westminster, the Royal Borough of Kensington and Chelsea, and Hammersmith and Fulham, experienced a significant cyberattack in late November 2025. The attack was confirmed as a ransomware incident affecting a shared IT services provider used by all three councils.
The attack disrupted phone lines and council services across all three boroughs. The councils activated emergency plans to maintain critical services and brought in the National Cyber Security Centre to support the response.
In March 2026, Kensington and Chelsea Council began formally writing to residents to inform them that their personal data had been compromised. Residents have been warned to watch for suspicious calls, messages, or anyone claiming to be from the council and asking for personal details.
Local councils hold some of the most sensitive personal data in the public sector, including social care records, housing information, benefit claims, and safeguarding data. This type of data, once stolen, can be used for targeted fraud, identity theft, or social engineering attacks.
The shared IT services model used by these councils — where a single third-party provider supports multiple organisations — illustrates a supply chain risk that is equally present in healthcare. A single supplier compromise can affect multiple clients simultaneously.
This incident also highlights the delay between attack, discovery, and notification. Residents are only now being formally informed, several months after the attack. Under UK GDPR, personal data breaches must typically be reported to the ICO within 72 hours of discovery. Affected individuals must also be notified without undue delay.
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services, including weekly threat monitoring, vulnerability assessments, and supply chain risk reviews tailored for UK digital health organisations and NHS suppliers.
Visit periculo.co.uk or contact our team directly.