Personal data on nearly 33,000 patients was stolen and shared online, in June 2024, Bedfordshire Hospitals NHS Foundation Trust has revealed.
The trust said it was “possible” that data on patients who had laboratory or diagnostic results between 2011 and 2020 from the hospitals it operates, Bedford Hospital and Luton & Dunstable Hospital.
The breach affected an organisation that provides essential services to the trust, as part of a broader incident affecting other healthcare bodies, the trust said.
Image credit: Pexels
Diagnostic results
As the data was fragmented across multiple databases, it took nearly two years for specialist analysis to clarify what information was present and what organisations it related to.
Data on the 32,927 affected could include name, date of birth, NHS number, postcode, and test results, the trust said.
“During the attack, criminals unlawfully accessed internal systems and extracted a set of files, which were later published on online forums known for sharing stolen data,” the trust said in a lengthy statement on Tuesday.
“In October 2025, the supplier informed us that some data relevant to our organisation was included in the material they had recovered and analysed. We have since undertaken our own review of that material.”
The trust said it believes the risk of the data being misused is low, as it is fragmented and historic.
Historic data
It said the supplier has obtained a court injunction to help prevent third parties from sharing the information.
It noted that publication alone did not mean the data had been used in a harmful way, adding that it was not aware of evidence that the information had been accessed or used inappropriately.
But it acknowledged there was a “limited risk” of personal data being used in unsolicited contacts by potential scammers.
The trust said it liaised with the NHS England information governance team and notified the Information Commissioner’s Office.
Hospital Breach Affects Nearly 33,000 Patients | Silicon UK Tech
