DXS International Breach: Lessons Learned for Healthcare

By Kate O'Flaherty • 19 February 2026

As high-stakes incidents in the healthcare sector surge, organisations must learn to manage information security, data protection and AI risk as a connected governance challenge. How can this be done?

By Kate O’Flaherty

On 14 December 2025, DXS International — which provides healthcare information and clinical decision support for roughly 10% of all NHS referrals in England — suffered a data breach impacting its office servers.

In a filing with the London Stock Exchange, DXS International claimed the breach was “immediately contained” in a joint effort by its internal IT security teams in close cooperation with NHS England. But soon afterwards, the DevMan ransomware group claimed to have stolen 300GB of data, including internal budgets and financial files.

While the incident itself had minimal impact and the company’s front-line clinical services remained operational, it’s a prime example of how third-party risk can cascade through the supply chain.

As incidents such as this surge, healthcare organisations must learn to manage information security, data protection and AI risk as a connected governance challenge. How can this be done?

A Major Problem

Because DXS International’s services remained up and running, it’s easy to dismiss the breach as uneventful. However, while frontline clinical services stayed up, other issues could show up further down the line, says Skip Sorrels, field CTO-CISO at Claroty. “When you compromise the administrative backbone of healthcare delivery, you’re creating long-tail risks such as identity theft, phishing campaigns, and erosion of patient trust.”

Sorrels points out that “operational” doesn’t mean “safe”: “Attackers are deliberately targeting the softer administrative systems because they know these suppliers often lack the same security rigor as the clinical infrastructure they support.”

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, concurs with this assessment. “Stolen data can be misused, affecting patient privacy for years.”

He describes how financial repercussions, including investigation costs, legal fees and possible fines could strain resources already under pressure in public health services. “Moreover, it highlights systemic issues in digital health infrastructure, prompting broader scrutiny of how interconnected technologies handle sensitive information.”

Third Party Risks

UK healthcare has strengthened cyber efforts continuously since the WannaCry ransomware attack hit the NHS in 2017. Regulators are placing increasing focus on supply chains and, recognising that vulnerabilities in managed service providers or critical suppliers can have wide-reaching impacts, says Katharina Sommer, group head of government affairs at NCC Group.

Third-party and supply-chain risks represent “one of the most pressing security challenges in healthcare”, as the sector increasingly relies on external vendors for essential services, says Curran.

“Software supply chain attacks are highly dangerous and increasingly prevalent because they exploit the interconnected nature of modern software development,” Curran tells IO. “These attacks target vulnerabilities in dependencies, build processes, or third-party components, often allowing attackers to compromise multiple companies through a single point of failure.”

Beyond the immediate impact, issues can be caused by smaller organisations with “large systemic footprints, but limited security maturity”, says Tracey Hannan-Jones, consulting director information security and GRC and group DPO at UBDS Digital.

Making things worse, the healthcare sector is facing a visibility challenge, according to Claroty’s Sorrels. “Most healthcare organisations struggle to truly understand the security posture of their third and fourth-party vendors. You can’t outsource a service and think you’ve outsourced the risk.”

Regulatory Expectations

In addition to supply chain security, regulation is increasingly mandating that critical services such as healthcare must take extra steps to boost resilience. When breaches do happen, those operating in the sector are expected to safeguard data and stick to stringent reporting requirements.

The DXS International breach provides insight into the regulatory expectations governing healthcare data in the UK and EU, particularly under the General Data Protection Regulation (GDPR) and aligned UK data protection laws. “These frameworks mandate that organisations processing personal data, including health information, must ensure robust safeguards and respond transparently to incidents,” says Ulster University’s Curran.

In this case, DXS’s “prompt notification” to the Information Commissioner’s Office (ICO) and law enforcement aligns with GDPR Article 33, which requires breach reporting within 72 hours if there is a risk to individuals’ rights and freedoms, Curran says.

Similarly, UK requirements under the Data Protection Act 2018 emphasise accountability, compelling entities to document and mitigate risks associated with data handling, Curran says. “The ICO’s ongoing assessment of the incident reflects how regulators scrutinise not just the breach itself, but the adequacy of response measures, including containment and investigation protocols,” he tells IO.

Regulators increasingly demand evidence of proactive risk management because reactive approaches have proven insufficient against evolving threats — as evidenced by the rising number of cyber incidents in healthcare, according to Curran.

Interconnected Risks

It comes at a time when cyber, privacy and AI risks are becoming inseparable in healthcare environments due to connected systems, data sharing and automation. Meanwhile, AI-driven tools are reshaping risk profiles.

The DXS International incident exemplifies this convergence, where a supplier’s breach could “potentially expose integrated networks handling patient data, blending cybersecurity threats with privacy concerns”, says Curran.

Data sharing across ecosystems – between providers, suppliers, and even cross-border entities – further erodes traditional boundaries, he points out. “Under frameworks such as the NHS’s Health and Social Care Network, information flows dynamically. This interconnectedness can lead to a cyber incident cascading into privacy violations, such as the inadvertent disclosure of sensitive health records.”

With this risk in mind, treating cyber, privacy, and AI risks in silos within healthcare environments “fosters significant blind spots”, says Curran.

Instead, firms need to take a joined-up approach to risk governance. This requires using integrated frameworks that bring together information security, data protection and AI governance to support resilience, trust and long-term compliance.

For example, organisations need to consider AI agents and humans as “a combined workforce that interacts with software and infrastructure”, says Javvad Malik, lead CISO advisor at KnowBe4. “For this we need clear accountability, supplier assurance, and oversight that brings data, humans, and AI together to support trust and resilience.”

Frameworks such as the National Cyber Security Centre’s Cyber Assessment Framework, ISO 27001 and NIST Cybersecurity Framework provide “practical tools to integrate controls, policies and risk metrics”, says NCC Group’s Sommer. “This helps organisations build trust, demonstrate compliance and manage cyber risk in a coherent and defensible way.”

Ulster University’s Curran advises establishing “cross-functional teams” comprising experts from cybersecurity, privacy and AI to collaborate on risk assessments, ensuring that threats are evaluated through “a multifaceted lens”.

Resilient, Trustworthy and Future-Ready

Healthcare organisations and the suppliers they rely on must work to build more resilient, trustworthy and future-ready risk management practices.

To win, organisations need to move towards a unified approach to risk, says Ivan Milenkovic, vice president risk technology EMEA at Qualys. “Instead of reinventing the wheel, the best teams integrate established international standards for security, privacy and the emerging frontier of AI management into one engine.”

Central to this is embedding risk management into organisational culture through unified policies that mandate “regular, integrated audits”, Ulster University’s Curran advises.

Meanwhile, implement a shared responsibility model with your vendors, says Claroty’s Sorrels. “Don’t treat supplier contracts as ‘set and forget’. Demand continuous transparency, evidence of security testing and proof they’re meeting baseline standards.”

Kate O'Flaherty

Kate is a cybersecurity and privacy journalist with well over a decade’s experience covering the issues that matter to users, businesses and governments. In addition to ISMS.online, her work can be found in Forbes, Wired, The Guardian, The Observer, The Times and The Economist.

EU Digital Omnibus Bill: Joined-up Compliance on the Agenda

The EU has introduced a new Digital Omnibus Bill designed to streamline data protection, cybersecurity and AI regulation. How can organisations ens...

Kate O'Flaherty

Cyber security 29 January 2026

700Credit Breach: API Risks Put Financial Supply Chain Governance Under the Spotlight

What does the 700Credit breach show about the financial data system and supply chain risks, and what lessons can be learned? By Kate O’Flaherty In ...

Kate O'Flaherty

Cyber security 22 January 2026

The Utilities Compliance Challenge

Utilities companies are dealing with fragmentation and silos, preventing a streamlined approach to compliance. A more solid foundation is needed, b...

Kate O'Flaherty