Freedom of Information Request – Ref: FOI 110-2026
Thank you for your recent Freedom of Information request. Please find our response below.
You asked:
1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)
2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc
3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.
Our response:
We have applied the Freedom of Information Act 2000 exemption – Section 36(2)(c) – Prejudice to the Effective Conduct of Public Affairs to the remaining part of your question above. Please see explanation below.
Freedom of Information Act 2000 – Exemption Applied – Section 36(2)(c) – Prejudice to the Effective Conduct of Public Affairs
For all parts of your freedom of information request the Trust has applied an exemption under section 36(2)(c) of the Freedom of Information Act 2000. This exemption applies where, in the reasonable opinion of a Qualified Person, disclosure of the information would otherwise prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs.
Reason for applying the exemption
The information requested relates to the Trust’s cyber security arrangements, including details of systems, services, or protections used to secure its digital infrastructure. In the reasonable opinion of the Qualified Person, disclosure of this information would be likely to prejudice the effective conduct of public affairs, as it would:
- Undermine the Trust’s ability to manage and mitigate cyber security risks;
- Reduce the effectiveness of security controls by exposing aspects of the Trust’s defensive arrangements;
- Increase the likelihood of cyber‑attack, system compromise, or service disruption; and
- Impact the Trust’s ability to deliver safe and effective healthcare services.
Cyber security forms an essential part of the Trust’s operational governance and service delivery. Providing detailed information about defensive measures or configurations would be likely to assist malicious actors and weaken the Trust’s capacity to protect patient data, maintain system availability, and ensure continuity of care.
The exemption is therefore engaged as disclosure would be likely to inhibit the Trust’s ability to carry out its public functions effectively.
Next steps:
Should you have any queries in relation to our response, please do not hesitate to contact us. If you are unhappy with the response you have received in relation to your request and wish to ask us to review our response, you should write to:
Louise Moss
Head of Legal Services / Associate Director of Corporate Governance
c/o Gloucestershire Health and Care NHS Foundation Trust
Edward Jenner Court
1010 Pioneer Avenue
Gloucester Business Park
Brockworth, GL3 4AW
E-mail: louise.moss@ghc.nhs.uk
If you are not content with the outcome of any review, you may apply directly to the Information Commissioner’s Office (ICO) for further advice/guidance. Generally, the ICO will not consider your case unless you have exhausted your enquiries with the Trust which should include considering the use of the Trust’s formal complaints procedure. The ICO can be contacted at: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.