Healthdaq cyberattack
A recruitment platform used by health trusts, Healthdaq, was hit by cyber‑attackers who claimed to have stolen hundreds of thousands of files containing personal data. While the platform serves hiring workflows rather than patient care, another large health‑adjacent breach adds to public wariness about connecting records to new apps. (bbc.com)
Hackers say they pulled 457,188 files from Healthdaq, a recruitment platform used by health trusts in Northern Ireland, and the company says the breach may include names, contact details, curriculum vitae, qualifications, passport copies, and other government identity documents. The incident was discovered on March 30, 2026, and Healthdaq said some records may also contain health information. (bbc.com) Healthdaq is not the system that runs hospital wards or stores day-to-day patient charts. It is the digital front desk for hiring, where doctors, nurses, and other staff upload career records so employers can check who they are and whether they are qualified. (healthdaq.com, app.healthdaq.com) That hiring role explains why the stolen files are so sensitive. A recruitment profile can work like a suitcase packed with identity paperwork: one account may hold a résumé, a license, a passport scan, contact details, and proof of qualifications in one place. (bbc.com, healthdaq.com) Healthdaq told users in an email that the attack may create risks including identity theft, fraud, and misuse of personal information. That warning fits the file types involved, because passport images and address details are the raw material criminals use to open accounts, impersonate people, or build more convincing scams. (bbc.com, yahoo.com) Under United Kingdom data protection rules, an organisation that becomes aware of a reportable personal data breach is expected to notify the Information Commissioner’s Office within 72 hours where feasible. If the breach is likely to create a high risk to people’s rights and freedoms, it must also tell the affected individuals without undue delay. (ico.org.uk) The public anxiety here comes from the supply chain shape of the attack. Even when a breach hits a contractor rather than a hospital itself, the fallout lands on the same nurses, doctors, and applicants whose records were handed over because the health system asked them to use that platform. (bbc.com, healthdaq.com) Britain’s health sector has seen this pattern before. In June 2024, the Synnovis ransomware attack hit a pathology provider serving National Health Service hospitals in London, disrupting blood testing and exposing patient data through a company that sat beside the health service rather than inside a hospital building. (news.sky.com, thedoctor.bma.org.uk) The technical lesson is old but still expensive: attackers often go after the side doors. The National Cyber Security Centre says ransomware defense depends on basics like multi-factor authentication, separate admin accounts for backups, and backup systems that attackers cannot easily alter or erase after they get in. (ncsc.gov.uk, ncsc.gov.uk) For anyone who used Healthdaq, the practical question is not whether hospital treatment records were frozen, but whether identity documents uploaded for a job application are now circulating outside the system they were meant for. That is why a breach in a hiring platform can still deepen mistrust of every new app that asks health workers to upload one more piece of their lives. (bbc.com, healthdaq.com)
