DXS International, a British technology company whose software is widely used throughout the National Health Service (NHS), has disclosed a cybersecurity incident affecting its internal systems.

In a notice to the London Stock Exchange, the company said it detected unauthorized access to office servers on December 14. DXS said it contained the breach and that its clinical services remained unaffected and operational throughout.

At present there is no confirmation whether NHS patient data was compromised, although the company said it has notified Britain’s data protection regulator, the Information Commissioner’s Office (ICO).

A spokesperson for NHS England did not immediately respond to a request for comment about whether patient data has been impacted.

DXS said investigations are ongoing and that it is working with NHS cybersecurity teams and external specialists “whose thorough investigations are underway to establish the nature and extent of the incident.”

The company, which added that it did not currently believe the incident would have a material adverse impact on its finances, provides clinical decision support and referral management tools used by GP practices and primary care networks across England.

Its products integrate with core NHS systems and, according to the company’s own statements, it supports around 10% of all NHS referrals in England, with its software touching the workflows for millions of registered patients.

The company is not a core electronic health record provider and does not hold central medical records, however patient data is processed by some of its systems used to provide clinical guidance to healthcare providers.

Not an isolated incident

The incident comes amid heightened concern over attacks on health technology suppliers in the United Kingdom that have underscored how incidents affecting third-party systems, even when not hosting core records, can have operational implications.

At least one patient is believed to have died following a ransomware attack on pathology provider Synnovis last year, with thousands of operations and appointments also cancelled.

Another ransomware attack impacting software supplier Advanced back in 2022 led to the temporary shutdown of the NHS 111 critical service used to triage non-emergency but urgent medical calls. 

In that incident, doctors, nurses and other staff were forced to resort to pen and paper to complete their jobs due to the impact on IT systems — provoking a crisis management COBR meeting in the British government as officials feared the impact the attack could have on patient care. Advanced was subsequently fined £3 million by the ICO for its security failings.

Britain's current regulations for cybersecurity do not automatically include third-party health IT suppliers like DXS within their provisions requiring them to meet specific security standards.

The government last month introduced its landmark Cyber Security and Resilience Bill to Parliament, threatening large fines for companies that fail to protect themselves from cyberattacks. Under the bill, companies that provide managed IT services to critical sectors, including healthcare, could be brought under the regulation.