14 March 2026 · 11 min read · Arviteni
The government's first major study of cyber security in adult social care reveals that a third of providers have experienced cyber incidents, many go unreported, and risky behaviours like device sharing and shared email accounts persist. Here is what care providers need to know and what to do about it.
In March 2025, the Department of Health and Social Care published "Understanding the State of Cyber Security in Adult Social Care," the first major government study focused specifically on cyber security across the care sector in England. Produced by Ipsos UK in collaboration with the Institute of Public Care, it surveyed 575 regulated care providers alongside interviews with technology suppliers and sector leaders.
The findings are a mixture of progress and persistent vulnerability. Most care providers say cyber security is a priority. Many have policies, backups, and insurance in place. But underneath those headline figures, a pattern of risky behaviour persists: shared devices, shared email accounts, personal phones used for work, and a detection gap that means many providers do not know when they have been attacked.
For care providers handling medical records, safeguarding notes, mental capacity assessments, and financial information for vulnerable adults, that gap matters. This post looks at what the report found, what it means for the sector, and what care providers should be doing in response.
33% of care providers reported experiencing a cyber incident or unsuccessful attack in the last three years. Of those who experienced incidents, phishing was the most common (75%), followed by email impersonation attacks (35%). 44% of attacks originated from third-party organisations, highlighting the supply chain as a significant attack vector.
The average cost across all providers was £2,575 over three years. For those who actually experienced incidents, the average rose to £9,528, with the most expensive single incident costing over £900,000. 52% of incidents had no measurable financial impact, which may sound reassuring but likely reflects incidents that were not fully assessed or where the costs were absorbed informally.
The report explicitly flags the 33% figure as likely underreported. Representatives and sector leaders interviewed raised concerns about three contributing factors: lack of awareness (providers not recognising incidents when they occur), poor monitoring (incidents going undetected entirely), and fear of reputational damage discouraging disclosure.
This aligns with the broader Cyber Security Breaches Survey 2025, which found that 41% of health and care organisations reported breaches or attacks using a different methodology. The true incidence rate across care is almost certainly higher than one in three.
The report identified several behaviours that undermine even well-intentioned security policies:
Device sharing. 39% of providers reported frequent organisational device sharing. In care settings, shared tablets and computers are common due to shift-based work and limited hardware budgets. But shared devices without proper user session management mean one compromised account can expose everything.
Shared email accounts. 30% of providers regularly share email addresses. This makes it impossible to attribute actions to individuals, undermines audit trail integrity, and means a single compromised mailbox gives an attacker access to everyone's communications.
Personal device use. 33% permit staff to use personal devices for work without adequate controls. When care workers access care records, rotas, or internal communications on personal phones that may not be updated, encrypted, or managed, the organisation's data is only as secure as the least secure personal device on the network.
It is not all concerning. The report shows genuine progress in several areas:
The gap is between policy and practice. Having a cyber security policy is one thing. Ensuring that policy is reflected in day-to-day behaviour, that staff are tested on it, and that the organisation can detect when it is being breached is another.
The combination of untested staff awareness, limited vulnerability assessment, and no incident response plan for nearly 40% of providers is the most concerning cluster. These are the organisations most likely to be breached without knowing it and least prepared to respond when they find out.
Care providers hold some of the most sensitive personal data in any sector. Medical records, care plans, medication histories, safeguarding reports, mental capacity assessments, and financial information for adults who may not be able to advocate for themselves.
A data breach in care is not just a regulatory problem. It has direct safeguarding implications. If a vulnerable adult's care records are exposed, or a safeguarding report is accessed by someone who should not see it, the consequences go beyond fines and reputational damage.
The threat is not theoretical. In June 2024, the Synnovis ransomware attack on an NHS pathology provider led to over 10,000 cancelled appointments, 1,700 postponed operations, nearly 600 patient safety incidents, and at least one patient death partly attributed to delays caused by the attack.
In February 2025, HCRG Care Group (formerly Virgin Care), which employs over 5,000 people and serves 500,000 patients, was attacked by the Medusa ransomware group. The attackers claimed to have stolen 50 terabytes of data, including employee information, medical records, and financial documents.
In December 2025, DXS International, a healthcare technology provider used by NHS GP practices, confirmed a data breach affecting its office servers, with 300 gigabytes of data allegedly stolen.
These are not small-scale incidents. They demonstrate that the health and care supply chain is actively targeted, that the consequences are severe, and that the risk extends beyond the care provider itself to every technology supplier in the chain.
In January 2026, NHS England's National CISO and Executive Director of National Cyber Operations published an open letter to suppliers setting out eight mandatory expectations: patched systems, DSPT compliance, multi-factor authentication, continuous monitoring, immutable backups, board-level cyber exercising, adherence to the NCSC Software Code of Practice, and proportionate supply chain risk management.
NHS England is now proactively contacting suppliers to verify these controls. While this is framed as a partnership rather than an audit, it represents a material tightening of expectations for anyone in the health and care technology supply chain.
For care providers, the implication is clear: your technology suppliers will face increasing scrutiny, and by extension, so will your own security posture. Commissioners and partners will expect you to demonstrate that your data is protected.
The Data Security and Protection Toolkit is now a legal requirement for all CQC-regulated care providers. 69% are currently compliant (achieving "Standards Met" or "Approaching Standards"). The 2025 to 2026 version (version 8) is live, with a deadline of 30 June 2026.
If you have not completed the DSPT, or if your status has lapsed, free support is available through the Better Security, Better Care programme: 0808 196 4848 or help@digitalcarehub.co.uk. 28 local support organisations across England offer in-person training, workshops, and site visits.
We have written a detailed guide to DSPT compliance for care homes that covers each requirement and how to meet it.
Cyber Essentials certification is increasingly expected by commissioners, insurers, and NHS partners. The five controls it covers (firewalls, secure configuration, user access control, malware protection, and security updates) are the fundamentals that prevent the majority of common attacks.
64% of care providers already have cyber insurance, but many insurers now require Cyber Essentials as a baseline. Without it, care providers face higher premiums or may not be able to obtain cover at all.
This is one of the most impactful changes a care provider can make, and it costs almost nothing. Every staff member needs their own login. Shared accounts make it impossible to know who accessed what, when, and from where. They undermine every other security measure you have in place.
Cyber Essentials requires individual accounts. CQC inspectors assessing data security governance under the "Safe" and "Well-led" questions will look for evidence of access controls. Shared accounts fail both tests.
If staff use shared devices, implement session management so each person logs in with their own credentials. If staff use personal devices for work, establish a clear policy covering minimum security requirements (screen lock, encryption, updates) and consider a mobile device management solution.
Network segmentation is equally important. Care system devices, staff devices, and guest or personal devices should be on separate VLANs. A compromised personal phone on the same network as your care records system is a path to a breach. Our zero trust security guide covers this architecture in detail.
Only 41% of care providers test staff awareness. Phishing simulations, conducted sensitively and without blame, are one of the most effective ways to identify who needs additional support. Combine regular testing with short, practical training that reflects the actual threats care staff encounter: suspicious emails, fake password reset requests, and social engineering phone calls.
39% of care providers do not have one. An incident response plan does not need to be complex, but it does need to exist and be tested. At minimum, it should answer: who leads the response, how do we contain the breach, who do we notify (ICO within 72 hours, CQC, affected individuals), how do we recover, and what do we learn.
Care England and the Cyber Resilience Centre Network are running a free webinar series for the care sector, including "Preparing for a Cyber Incident: Tools and Tips for the Care Sector" on 23 March 2026. It is worth attending.
81% of care providers back up data regularly, which is encouraging. But backing up is only half the equation. Recovery needs to be tested. Can you actually restore from backup within an acceptable timeframe? Do the backups include everything you need? Are they stored separately from your main network so that a ransomware attack cannot encrypt them too?
Immutable backups, backups that cannot be altered or deleted, are now an NHS expectation for suppliers and are increasingly considered best practice across the sector.
The government's cyber security strategy for health and social care to 2030 sets out a vision for a "cyber resilient" sector. It commits to aligning the DSPT with the Cyber Assessment Framework, investing at least £15 million over two years in adult social care cyber improvements, and establishing sector-wide threat intelligence sharing.
The Cyber Security and Resilience Bill, currently progressing through Parliament, will expand regulatory scope to cover managed service providers and designated critical suppliers, with mandatory 24-hour incident reporting and penalties up to £17 million or 4% of global turnover.
The direction is clear: expectations for cyber security in care are rising, enforcement is tightening, and the consequences of inaction are growing. The DHSC report is a baseline measurement. The question is what providers do with the findings.
If you are not sure where your organisation stands, start with the DSPT. It provides a structured self-assessment that identifies your gaps. From there, Cyber Essentials certification addresses the technical fundamentals. Both have free support available specifically for care providers.
If you want to go further, or if you need help implementing the controls rather than just identifying the gaps, get in touch. We work with care providers on security architecture, network segmentation, device management, and compliance, and we can help you build a security posture that is proportionate to the data you hold and the people you serve.