Two major NHS cyberattacks last year exposed over 50 patients to potential clinical harm, according to official data obtained under the Freedom of Information Act. The incidents, recorded under the UK’s Network and Information Systems (NIS) Regulations, underscore the growing threat of ransomware and other financially motivated cyber incidents to public health and patient safety.
Though the government’s data does not specify the exact incidents, experts believe one case involved the ransomware attack on Synnovis, a pathology services provider whose systems were hacked in 2023. The breach caused widespread delays and cancellations at NHS hospitals across London. A separate attack on Wirral University Teaching Hospital NHS Foundation Trust similarly disrupted cancer treatments, The Register reported.
While neither attack caused excess fatalities, both crossed the threshold for the third-highest category of NIS incidents: clinical harm. This refers to harm caused by delayed or missed medical care, affecting more than 50 patients in each case.
Safety Risks Linked to Delayed Data and Diagnostics
Dr. Rosie Benneyworth, Chief Executive of the Health Services Safety Investigations Body (HSSIB), warned that cyberattacks can critically affect access to electronic patient records, lab results, and diagnostic data. “People who may be seriously ill could be affected by a delay in treatment or diagnoses,” she said.
The HSSIB, which investigates patient safety concerns in England and Wales, has yet to launch a specific investigation into the impact of NHS cyberattacks, but continues to monitor emerging risks.
Lack of Cyber Resilience Among Suppliers Raises Concern
The article also highlights a 2022 ransomware attack on IT firm Advanced, which forced NHS staff to revert to pen and paper during system outages. The company was fined £3.1 million this year for failing to secure sensitive patient data.
A key issue is that current UK laws do not mandate how software providers must continue delivering critical services during cyber incidents. In response, the British government has proposed a new Cyber Security and Resilience Bill to strengthen digital defences across the NHS and its suppliers.
Government Pushes New Cybersecurity Regulations
The Department of Health and Social Care confirmed that new legal measures are coming, including extending NIS Regulations to cover essential software providers. A spokesperson stated: “National security is one of this government’s key foundations. Our Cyber Security and Resilience Bill will help organisations, including the NHS, respond to evolving threats and protect vital services.”
Meanwhile, senior NHS leaders have written to key suppliers urging urgent action to counter what they describe as the “endemic” threat of ransomware.
Dr. Benneyworth added that better safety frameworks and continuity plans are essential to mitigate risks in future attacks. “We’re working closely with the Joint Cyber Unit to explore how to manage patient safety during cyber incidents,” she said.
