Freedom of Information Request – Ref: GHC-28072025-595815
Thank you for your recent Freedom of Information request. Please find our response below.
You asked:
I am writing to request information under the Freedom of Information Act 2000 regarding the cyber security of your NHS Trust, specifically relating to incidents and the current measures in place to mitigate such threats.
1. Ransomware incidents (FY2022–FY2025) Please confirm whether any digital systems within hospitals managed by your NHS Trust were affected by ransomware attacks during the financial years 2022–2023 through to 2024–2025 (inclusive).
If yes: How many separate ransomware incidents occurred within this period? For each incident, please provide: The date or month of occurrence, brief description of the nature of the attack (e.g. type of ransomware, point of system entry, services impacted)
Our response:
We have not answered this question applying the section 24 exemption of neither confirm nor deny caveat.
You asked:
2. Data breaches following cyber incidents (FY2022–FY2025) Were any data breaches reported as a result of ransomware or other cyber incidents during this period? If yes, please provide for each breach: The type(s) of data affected (e.g. patient records, staff information), the specific impacts of each breach, categorised as follows (where applicable):
Loss of patient data, loss of staff data, disruption to patient services (please specify which services, if known), disruption to operational processes, financial impact (e.g. cost of recovery, penalties, compensation, etc.), other impacts – please specify
Our response:
We have not answered this question applying the section 24 exemption of neither confirm nor deny caveat.
You asked:
3. Current cyber security measures (as of date of request) Please list all cyber security measures and protocols currently in place across the Trust. These may include, but are not limited to:
Cyber insurance (including provider and coverage if available), internal and external firewall systems, use of multi-factor authentication (MFA) for user accounts, access control systems for sensitive data and critical systems, anti-virus and anti-malware protection, cyber security training or awareness programmes for employees, Regular penetration testing or security audits (please specify frequency), existence and status of an incident response plan (e.g. last updated date)
Our response:
We have not answered this question applying the section 24 exemption of neither confirm nor deny caveat.
Next steps:
Should you have any queries in relation to our response, please do not hesitate to contact us. If you are unhappy with the response you have received in relation to your request and wish to ask us to review our response, you should write to:
Louise Moss
Head of Legal Services / Associate Director of Corporate Governance
c/o Gloucestershire Health and Care NHS Foundation Trust
Edward Jenner Court
1010 Pioneer Avenue
Gloucester Business Park
Brockworth, GL3 4AW
E-mail: louise.moss@ghc.nhs.uk
If you are not content with the outcome of any review, you may apply directly to the Information Commissioner’s Office (ICO) for further advice/guidance. Generally, the ICO will not consider your case unless you have exhausted your enquiries with the Trust which should include considering the use of the Trust’s formal complaints procedure. The ICO can be contacted at: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.