A cyber attack on a behind-the-scenes supplier can reach all the way to some of the most vulnerable people in the country. The NRS Healthcare incident is a difficult but important example.
What happened
NRS Healthcare is one of the UK's largest providers of community equipment — wheelchairs, hospital beds, hoists, mobility and daily-living aids — supplied on behalf of the NHS and many local councils. Following a cyber incident, multiple councils warned that residents' personal data (such as names, addresses, phone numbers and details of equipment issued) may have been compromised, and the disruption affected the supply of equipment that people rely on to live independently and leave hospital safely. St Christopher's and other care organisations issued statements to reassure and advise those affected. Councils urged residents to be extra cautious of unexpected calls, emails or visits in the aftermath.
Why it matters to you
This incident shows two things sharply. First, the data and services that matter most often sit with third-party suppliers — and a breach there becomes everyone's problem. Second, in health and care the consequences aren't only financial or reputational; they affect real people's wellbeing and safety, which raises the stakes for getting supplier resilience right.
What to do
- Map your critical and data-handling suppliers and understand what they hold about your clients or staff.
- Set security expectations in contracts — certification, MFA, breach notification.
- Have a fallback for essential services if a supplier is disrupted.
- Warn your community promptly after any breach to blunt follow-on scams.
Note: this story developed over time; we've dated this piece to when the incident first became public — let us know if you'd prefer the date of the specific statement.
Want to understand your own supplier and cyber risk? Get in touch and we'll help you make sense of it.
Source: Statement on NRS Healthcare cyber security attack — St Christopher's