Skip to content

Patient 'fuming' over NHS provider cyber attack

Bea SwallowWest of England
News imageJohn Adams A selfie of John Adams. He has shoulder length light grey hair, a beard and bushy eyebrows. He is standing outdoors on a cloudy day beside a tree.John Adams
John Adams had his personal information leaked during the hack

A man whose personal data was leaked after his healthcare provider was hacked said he is "fuming" at the lack of communication with patients.

John Adams, 69, and from Bath, received a letter from the HCRG Care Group on Saturday saying his personal data had been compromised in February 2025.

An investigation by the independent healthcare provider found this included his date of birth, address, national insurance number, phone number and hospital number.

The care group blamed the 15-month delay in telling patients on "uncertain details", adding there "continues to be no evidence" to suggest the data has been misused.

More from Somerset

HCRG Care Group, formerly Virgin Care, provides community health and social care services across Bath and North East Somerset (BANES), Swindon and Wiltshire.

It is commissioned by the NHS and local authorities to run services like GP practices, urgent care centres and sexual health clinics.

Adams receives daily care at home from nurses at HCRG and earlier this year spent a month in St Martin's Hospital in Bath with a broken femur.

"You don't want all your private medical stuff going around, it's wrong," he said.

"They've only just let us know - 15 months late. I was fuming."

Adams said he is now increasingly concerned the third-party thieves could use his personal information to access his bank accounts - something HCRG denies.

"It's disgusting," he said. "Other people are going to be worried to death over this."

News imageGetty Images A stock image showing a man typing complicated coding on a black laptop. Beside it is a silver hard drive with lots of wires coming out of it.Getty Images
HCRG said a third party temporarily gained unauthorised access to their network and "may have copied data" from the system

HCRG said when it first became aware of the "unauthorised suspicious activity" it immediately launched an investigation with the help of cyber security experts.

"We reported the matter to all appropriate authorities including law enforcement, the Information Commissioner's Office (the ICO) and our other regulators," a HCRG spokesperson said.

The investigations that followed were "complex" and "necessary" to establish which data was affected and who was impacted, it added.

"This process took time given the complexities involved, and the need to establish what data was affected so that people were accurately informed.

"There is no evidence the affected data was misused as part of the incident or subsequently.

"We are working to ensure that people affected receive the support they require."

Follow BBC Somerset on Facebook and X. Send your story ideas to us on email or via WhatsApp on 0800 313 4630.

More on this story
Related Internet Links