The nation’s healthcare system is facing an escalating crisis as cyberattacks threaten patient data and disrupt vital services, according to a former government cybersecurity advisor. Millions of individuals’ health records are potentially vulnerable, with their value on the black market estimated to be in the billions.
Research indicates that the NHS has weathered approximately 75,000 attacks over the past two decades. Andrew Jenkinson, a leading cyber security analyst and fellow of the Cyber Theory Institute, warns of a potential catastrophic data breach at any time. This vulnerability stems largely from storing significant amounts of patient data on US-based servers, leaving them exposed to frequent breaches.
The financial burden is immense. While precise figures remain elusive, Jenkinson estimates that the NHS spends billions annually responding to roughly 360 cyberattacks each week—an average of over 50 daily. These incidents necessitate shutting down sections of healthcare operations and replacing compromised software.
Key Financial Impacts:
- Estimated £246 billion annual cost to UK businesses and government organizations (approximately 10% of the UK’s GDP).
- Globally, cybercrime is estimated at approximately £8.5 trillion annually (around 10% of global GDP).
Beyond financial losses, these breaches jeopardize patients’ access to crucial services like health insurance, life insurance, and mortgages.
“Unaddressed, the NHS will continue to suffer financially as well as fail to meet our healthcare needs because of the cost of this,” Jenkinson stated. “There are thousands of cyberattacks against the NHS every month, and the NHS cannot keep up with it.”
The scale of the problem extends far beyond reported incidents. The 2017 ‘WannaCry’ attack, for example, led to the cancellation of 13,500 outpatient appointments, including 139 involving suspected cancer patients, resulting in significant losses and potential delays in critical care.
More recently, a ransomware attack on Synnovis, a pathology lab, resulted in cancelled operations and diverted emergency patients. This event also exposed nearly 400GB of sensitive data, including patient names, NHS numbers, and blood test descriptions, which the Qilin ransomware group reportedly published.
The number of reported cyberattacks has steadily increased:
- 1,565 incidents were reported between 2013-14.
- This jumped to 7,178 in 2016–17.
Jenkinson estimates that the total cost of these incidents could now exceed £7.5 billion, considering the average healthcare cyber incident costs around £100,000.
“Cybercrime and fraud are interconnected,” Jenkinson explained. “Stolen data and credentials obtained through cyberattacks are sold on the dark web, fueling further scams.”
Public sector organizations across the UK – from hospitals and schools to councils – are increasingly seen as easy targets due to outdated systems, limited resources, and the high value of their data.
Recent threats include:
- Ransomware attacks impacting a third of English schools, with demands averaging £5.1 million.
- Major breaches affecting local councils, like Hackney Council’s paralysis following a 2020 attack.
- Warnings from GCHQ regarding a growing threat from pro-Russian and pro-Palestinian hackers targeting British organizations, including the armed forces and infrastructure operators.
Analysts attribute this heightened risk to Britain’s prominent support of Ukraine, making it a more attractive target.
Jenkinson cautions that without urgent investment in stronger cyber defenses, the UK risks “a cascade of catastrophic data failures” across essential services. He emphasizes that these incidents represent not only financial burdens but also pose a direct risk to patient safety and can lead to cancelled procedures.
