The NHS is "woefully exposed" to cybercrime with the personal health data of millions of patients "hanging by a thread", a former Government advisor on cyber security expert has warned.
The data is worth billions on the black market and the health service has already had to withstand an estimated 75,000 attacks in the past two decades, new research has revealed.
Leading cyber security analyst Andrew Jenkinson believes a catastrophic data theft could occur at any time because the NHS and its partners are storing much of their data on outsourced US servers, which are “perpetually exposed to data breaches”.
Although there are no official figures on the total annual cost of cyberattacks on the NHS, Jenkinson, a fellow of the Cyber Theory Institute, a cybersecurity advisory group, has passed GB News a dossier of evidence about the scale of the cybersecurity problem in the NHS.
NHS 'woefully exposed' to cybercrime as Briton's personal health data 'hanging by a thread'
PAHe said the health service is forking out billions of pounds every year to respond to approximately 360 cyberattacks a week — the equivalent to 51 a day.
These costs include closing sectors of the health service and replacing computer software.
He said the health service data breaches also risk people's ability to access health insurance, life insurance and even a mortgage, if personal information is sold on.
The cyberattacks on the NHS are part of a bigger picture in which the threat of cybercrime is underplayed, his report shows.
This costs UK businesses and Government organisations an estimated £246billion a year — approximately 10 per cent of the UK’s GDP.
Cybercrime is also estimated to cost 10 per cent of the global GDP — approximately £8.5trillion a year.
LATEST DEVELOPMENTS:
(Stock) The NHS responds to approximately 360 cyberattacks a week to the tune of billions of pounds
GETTYHe said: “Unaddressed, the NHS will continue to suffer financially as well as fail to meet our healthcare needs because of the cost of this. There are thousands of cyberattacks against the NHS every month and the NHS cannot keep up with it.”
He added: “This is not just a financial burden; it is also a risk to life when operations or procedures are cancelled.”
Major publicised incidents are just the “tip of the iceberg”, he said. These include an attack in 2017 dubbed ‘WannaCry’, which led to 13,500 outpatient appointments, including 139 for patients with suspected cancer, amounting to millions lost through reduced activity, potentially delaying critical care.
And a ransomware attack in June 2024 on pathology lab Synnovis, which led to cancelled operations and meant emergency patients had to be diverted.
Guy’s and St Thomas’ NHS Foundation Trusts, King’s College Hospital NHS Foundation Trusts and primary care services in South East London had to postpone at least 1,693 elective procedures and 10,054 acute outpatient appointments at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust.
The attack also contributed to a potentially deadly shortage of O-type blood among NHS hospitals.
As well as the direct impact on patient care, the ransomware group Qilin reportedly published nearly 400GB of data stolen from Synnovis. This included sensitive NHS patient information, such as patient names, NHS numbers and descriptions of blood tests.
Guys and St Thomas' Hospital in London
PA
Based on data from the NHS’ publisher, the National Health Executive, NHS trusts reported 1,565 cyberattacks between 2013-14. This rose sharply to 7,178 in 2016–17.
Based on this trend, Jenkinson estimates that the NHS has suffered around 75,000 cyberattacks between 2000 and 2024 — or over 18,000 attacks a year — 360 attacks a week, 51 cyberattacks every day.
With the average cost of a healthcare-related cyber incident estimated at £100,000, the total cost to the NHS may now exceed £7.5billion, Jenkinson estimates.
He said: “These incidents do not include the entire financial toll nor the widespread disruption to patient care, cancelled operations, data breaches, and long-term risks to patient safety and trust.”
He added: “Cybercrime and fraud are interconnected. Stolen data and credentials obtained through cyberattacks are sold on the dark web, fuelling further scams. These credentials are exploited in phishing, telephone fraud, and other criminal activities, often by multiple cybercriminal groups, amplifying the financial and social damage.”
Recent years have seen an explosion in attacks on the UK public sector, from hospitals and councils to schools. Many experts say these organisations are seen as “low-hanging fruit” by cybercriminals, due to outdated systems, limited resources and the high value of the data they hold.
Just last year, a third of schools in England were hit by ransomware attacks, with demands averaging £5.1million and some institutions forced back to “chalk and talk” methods after systems were wiped out.
Local councils too have suffered major breaches, with the Information Commissioner’s Office citing serious failings at Hackney Council after a 2020 attack left services paralysed for months.
And last week, the Government intelligence agency GCHQ warned of a growing threat of pro-Russian and pro-Palestinian hackers against British organisations and state agencies, including the armed forces, security services, infrastructure operators and councils.
United by a shared opposition to Western values, a Holy League coalition of 90 ‘hacktivist’ groups includes members believed to be working alongside Russia’s military intelligence branch.
Analysts say Britain’s more prominent leadership role in support of Ukraine over the last two months has made it a bigger target.
Last month, hackers claimed to have carried out simultaneous attacks on the websites of the British army, Royal Navy and Office for Nuclear Security.
Jenkinson warns, unless Government and public bodies urgently invest in stronger cyber defences, the UK risks a “cascade of catastrophic data failures” across essential services.
GB New has approached the Government for comment.
