DXS International, a provider of healthcare technology for the NHS, has reported a cyber attack that resulted in the theft of data.

Overview of the Incident

• The UK-based company supplies software to approximately 2,000 GPs, managing care for around 17 million patients.
• The breach was detected on December 14, 2025, and disclosed in a filing with the Stock Exchange on December 18, 2025.
• DXS stated that it quickly contained the breach with assistance from the NHS and has informed law enforcement and regulatory bodies, including the Information Commissioner’s Office.

Impact on Services

According to the company, there was minimal impact on its services, and frontline clinical operations remain unaffected and operational.

Investigation and Response

• DXS has engaged a cybersecurity firm to investigate the incident and assess its nature and extent.
• The ransomware group DevMan has claimed responsibility for the attack, alleging that they stole 300 gigabytes of data.

Statements from Authorities

An NHS England spokesperson mentioned that they are collaborating with the National Cyber Security Centre and law enforcement to address the situation, confirming that no patient services have been reported as impacted.

Expert Commentary

Cybersecurity expert Saif Abed emphasized the need for enhanced oversight of NHS suppliers, advocating for a comprehensive inquiry into NHS cybersecurity and patient safety.

Context of Cybersecurity in the NHS

This incident follows a previous cyber attack on Barts Health NHS Trust, which resulted in personal patient and staff information being leaked online. Additionally, the pathology supplier Synnovis is reaching out to NHS organizations affected by a major cyber attack in June 2024 that disrupted services and led to a patient death.

Legislative Developments

In response to ongoing cybersecurity threats, the Cyber Security and Resilience Bill was introduced in Parliament in November 2025. This legislation aims to enhance cybersecurity measures for around 1,000 service providers, requiring third-party suppliers to improve their data protection and network security.