Notification of a personal data breach

Dear friends, partners and colleagues,

Notification of a personal data breach

We are sorry to inform you that we have experienced a breach of security that has resulted in the unauthorised access to your personal data. This affects the data about you held in Haemochromatosis UK’s IT systems and on the MyIron+ App and Ask Alice (together, the “App”).

Upon discovering the breach, we carried out a full and thorough investigation – we only wanted to reach out to notify affected individuals when we had as clear a picture as possible in relation to what happened, the implications for individuals, and what next steps might be most appropriate.

What happened?

It came to our attention in late 2025 that a person known to us had been accessing Haemochromatosis UK’s IT systems, without authority to do so, for a period of roughly six months. The person known to us also exported data during that time.

It subsequently became apparent to us that the person known to us continues to have unauthorised access to the App.

This means that the person known to us has had access to various types of personal data relating to the people that we engage with, including members, consultants, nursing contacts and App users. This includes membership information (including membership number, status and dates), contact details (name, email address, postal address, telephone number) and – in relation to our medical contacts – details of the hospital and clinic/ward where you work. If you use the App, it is likely that the person known to us has access to the personal data that you have input into the App (including, if relevant, information relation to health).

What does this mean for you?

Based on the information currently available to us, we do not believe that your personal data is being used in a way that is likely to result in financial loss, identity fraud, or other serious harm to you (whether by the person known to us or any other third parties). However, there is a possibility that some individuals may be contacted by the person known to us. We would advise that you ignore and/or delete any such messages, and we ask that you please notify us if you receive any communications from a non-HUK email address in HUK’s name and note that any such messages do not originate from Haemochromatosis UK and do not reflect our views or position. We also ask that you please contact us via email at [email protected] should you receive any communications from any other person in our name.

We are also aware that the Ask Alice chatbot within the App has been used to publish material about Haemochromatosis UK that has not been sanctioned by us and is inaccurate.

In any case, we completely appreciate that the unauthorised access of your personal data can cause concern, and we want to assure you that we are taking this incident, and our data protection obligations more generally, extremely seriously.

What steps have we taken?

We have taken a number of steps to address and mitigate the risks of this incident. In the first instance, we took steps as quickly as possible on discovering the incident to ensure that the person known to us no longer has access to our IT systems.

Given that the actions of the person known to us in relation to our systems and the App amount to a potential breach of contract and data protection law, we are taking legal steps with a view to ensuring that they (i) no longer accesses the App and (ii) deletes any personal data they have access to. We have also contacted the Charity Commission, Action Fraud and the UK Information Commissioner’s Office to make them aware of this incident and the person known to us actions.

What steps can you take?

As noted, we do not believe that your data is being used in a way that is likely to result in serious harm to you.

There is no specific action required on your part at this time, though of course we encourage you to remain vigilant, particularly if you receive unexpected correspondence where you have doubts about the sender and/or if the correspondence suggests clicking on links or (contains a request for any login or password details for any of your online accounts.

It is open to you to delete the App (and the data you may have input into it) from your device if you would like to do so, but please note that this will mean that you no longer have access to your data, including your health data, via the App (though this data will still be accessible as part of, for example, your health records).

If you would like to delete the App, you can do so as follows:

On an Android device, navigate to Setting > Apps > MyIron+ > Storage > Clear Data. You can then ‘Uninstall’ the App (again in Settings).
On an iPhone, navigate to Settings > General > iPhone Storage > MyIron+ > Delete App.

Alternatively, you can hold down the icon of the App (in either device) and press ‘Uninstall’ (for Android) or ‘Delete App’ (for iPhone) as appropriate.

Please rest assured that we are taking this incident extremely seriously. As set out above, we have taken and are continuing to take steps to protect, and to prevent any further unauthorised access to, your personal data. We have also reviewed our overall IT and data protection governance to limit the risk of another incident like this occurring in the future.

We sincerely apologise for any inconvenience and concern that this incident may cause you. If you have any questions, please reach out to us at [email protected].

Yours sincerely,

Haemochromatosis UK

Latest

What are we up to during International Awareness Week?

The 1st - 7th June 2026 is Word Haemochromatosis Awareness Week! Find out how we will be raising awareness across the UK!
TCS London Marathon 2027 Charity Place

Could you be up to the challenge of running The TCS London Marathon in 2027 for Haemochromatosis UK? UPDATE - BOTH PLACES NOW ALLOCATED.
Notification of a personal data breach

We are sorry to inform you that we have experienced a breach of security that has resulted in the unauthorised access to your personal data.
Blood Red Shamrock - Now Available in the Shop!

The blood red shamrock pin-badge is now available from the Haemochromatosis UK shop. The quality metal enamel badge can be used to increase awareness of the haemochromatosis cause.