In June 2026, the National Data Guardian (NDG) for Health and Social Care wrote to NHS England to seek clarification on how external Palantir staff had gained access to identifiable patient data within the NHS Federated Data Platform (FDP). The watchdog described the situation as an "inconsistency" between what it had been told and what was happening. For anyone working in cyber security in healthcare, the episode is instructive, and not because it is unusual, but because it is not. Access control failures in healthcare rarely begin with a deliberate breach. They begin with convenience, operational pressure, and the assumption that because something has been approved at a high level, the detail will take care of itself. The NHS Palantir case is a reminder that in high-stakes data environments, the detail is the governance.
The NHS Federated Data Platform is a flagship NHS England programme. Palantir Technologies, which holds a £330 million contract to develop it, had been granted a new "admin" role allowing external contractor staff access to the National Data Integration Tenant (NDIT), the environment where patient data sits before it is pseudonymised. This was confirmed by NHS England following media reporting.
The NDG's position is clear: when it reviewed the programme's Data Protection Impact Assessment (DPIA), the document stated that access to identifiable patient information would be limited to NHS staff with a legitimate need. External contractor access was not what it had been told to expect.
The NDG has now written to NHS England to request an explanation. What it described as an "inconsistency" is, in practice, exactly what poor healthcare cyber security strategy looks like in operation: access expanded incrementally, documentation lagging behind reality, and oversight bodies working from an account of the system that no longer matches the system itself.
The NDG's intervention is a useful lens through which to examine the compliance landscape that every healthcare organisation and technology supplier is already operating within.
The DSP Toolkit requires NHS organisations and their partners to demonstrate active, documented controls over who can access patient data and to evidence that access is reviewed. It is not sufficient to have a policy in place. The Palantir case illustrates what happens when access creep outpaces the documentation framework designed to contain it.
The Network and Information Systems (NIS) Regulations place accountability for network and information system security at the organisational level. Where external parties such as contractors, integration partners, and platform suppliers operate within an organisation's data environment, the accountability does not transfer to them. The NHS organisation remains the accountable body. Healthcare data protection obligations do not diminish when a third party is in the system; they intensify.
The Information Commissioner's Office and the NDG each carry meaningful enforcement powers. The NDG's letter to NHS England is a public, formal exercise of oversight. The ICO has demonstrated, repeatedly and across sectors, that "we weren't aware" is not a defensible position when the access controls required to generate awareness were not in place to begin with.
For any healthcare organisation whose cyber security compliance posture rests on assumption rather than evidence, this case is a direct prompt to revisit that posture.
The underlying question in the NHS Palantir case is not whether anyone acted in bad faith. It is whether the access governance framework was capable of producing an accurate, auditable account of who could see what and whether the documentation kept pace with operational reality.
Healthcare organisations working with complex technology programmes, multiple suppliers, and integrated data environments face this challenge constantly. The gap between what a DPIA says and what the system does is not unusual. What is unusual, and what the NDG's intervention makes clear, is that the gap is now attracting formal regulatory scrutiny.
A robust healthcare cyber security strategy in this environment requires three things:
These are not aspirational elements of a mature cyber security programme. They are baseline requirements in a regulated healthcare environment.
The NDG's public statement and formal letter to NHS England are significant not only for the FDP programme, but for the broader direction of oversight in NHS data governance. Oversight bodies are asking more specific questions, requesting documentary evidence, and demonstrating a willingness to investigate publicly when the answers are unsatisfactory.
For healthcare executives and governance leads, this is the environment in which healthcare cyber security programmes are now being assessed. The question is no longer whether your organisation has a cyber security policy. It is whether your organisation can demonstrate, with evidence, that the policy reflects operational reality.
At Santegic, we work with NHS organisations, digital health suppliers, and technology partners to build the governance frameworks, documentation, and audit infrastructure that make that demonstration possible.
The NHS Palantir case will continue to develop. What will not change is the underlying principle it illustrates: in cyber security in healthcare, undocumented access is ungoverned access, and ungoverned access is a regulatory and reputational liability.
The NDG's letter is a live example of what that liability looks like under formal scrutiny. For healthcare organisations and their technology partners, the time to build the evidence base is before the letter arrives, not after.
If your organisation needs support developing its healthcare cyber security strategy, strengthening access governance, or preparing for DSP Toolkit or NIS Regulations compliance, Santegic Cyber's healthcare consulting services are available to help. Get in touch to discuss your requirements.
One conversation. The right expertise.
