Connect with us

NEWS

NHS Cyber Attack Warning Says Risk Now Tops Pandemic

The NHS cyber attack warning follows a board paper rating cyber above pandemic risk and pointing to suppliers, patient data, AI and recovery drills.

Published

5 hours ago

on

The NHS cyber attack warning is now written into NHS England’s own risk register language. In the 4 June risk management paper, NHS England says a cyber incident presents a higher risk than pandemic risk in both likelihood and impact.

That puts the warning beyond a normal IT alert. The same paper lists cyber security and service resilience among operational risks with a risk score of 25, and says a simulation exercise is planned for July to test how the NHS keeps critical services running through a significant cyber incident.

The Board Paper Put Cyber Above Pandemic Risk

The paper was published on 3 June 2026 for the NHS England board meeting held on 4 June 2026. It says the Strategic and Operational Risk Registers were considered by the NHS Executive on 26 May, and that the board was asked to note both registers.

The clearest line is in the risk and resilience section. NHS England says pandemic risk is assessed as high at a national level because of its potential to affect every person and organisation, but its organisational rating is lower because mitigations and preparedness measures are already in place.

Cyber is treated differently. The paper says that, when viewed from an NHS England perspective, a cyber incident presents a higher risk in terms of both likelihood and impact, and is therefore rated higher than pandemic risk in its risk registers.

Risk Area NHS England’s Current Position Reported Action
Cyber risk The current score remains very high because of a significant and increasing threat environment. A simulation exercise is planned for July to evaluate resilience to a significant cyber incident.
Pandemic preparedness The risk is high at national level, while NHS England’s organisational rating is lower because mitigations and preparedness measures are in place. The existing pandemic preparedness risk has been escalated to the Operational Risk Register.
Data breach The current position shows a reduced target score of 16. The paper cites data protection health checks, enhanced third party assurance and improved incident response arrangements.

The paper also says cyber risk has a target score of 16 against a 2030 delivery horizon. It says that horizon lines up with the Cyber Strategy lifecycle while acknowledging persistent external threat levels, variable sector maturity and reliance on supplier assurance and recovery planning.

NHS cyber attack warning patient safety risk
NHS cyber attack warning patient safety risk

Patient Safety Is in the Cyber Column

NHS England’s own director guide, published in April 2026, links cyber risk to clinical harm. It says serious disruptive cyber incidents in health and care have affected patient safety and trust, and cites more than 10,000 deferred outpatient appointments and 1,700 procedures from one incident alone.

The same guide says the sector is moving to a more digitised way of working while attacks threaten the availability of vital systems and the exposure of sensitive patient data. It also tells directors that boards have ultimate accountability for overseeing and directing an organisation’s security measures.

Cyber is a tier one risk affecting organisations of all shapes and sizes.

Dr Jamie Saunders, non-executive chair of the Cyber Security Risk Committee at NHS England, wrote that line in the NHS guide for executive and non-executive directors. He added that recent incidents had a direct impact on patient safety and care.

The Synnovis case gave that warning a clinical edge. Sky News reported on 25 June 2025 that King’s College Hospital NHS Foundation Trust confirmed one patient died unexpectedly during the cyber attack, and that a patient safety incident investigation identified a long wait for a blood test result as one of several contributing factors.

Suppliers Are Now in the Frame

Synnovis is a pathology provider for healthcare organisations including the NHS. NHS England’s official Synnovis cyber incident update says the provider was hit by a ransomware cyber attack on 3 June 2024, disrupting services across the UK and significantly reducing its capacity to process tests.

The update says the impact was greatest in South-East London, where delays affected over 11,000 outpatient and elective procedure appointments. It also says services were fully restored by December 2024.

  1. On 3 June 2024, Synnovis was the victim of a ransomware cyber attack that disrupted services across the UK.
  2. On 20 June 2024, the criminals responsible published data files stolen in the attack.
  3. By December 2024, NHS England says Synnovis services were fully restored.
  4. On 10 November 2025, NHS England said the investigation into the scope of stolen data was complete and Synnovis was contacting impacted customers.

NHS England and the Department of Health and Social Care had already moved toward direct supplier engagement. In January supplier cyber assurance letter, they said the health and care system cannot protect itself without the partnership of the organisations that support it.

The letter says NHS England or the relevant contracting authority may contact suppliers to discuss key cyber security controls and request supporting evidence where appropriate. It names suppliers that deliver services critical to patient care or operational continuity as an example.

  • Keeping systems supported and patched against known vulnerabilities.
  • Maintaining Standards Met in the Data Security and Protection Toolkit.
  • Applying Multi-Factor Authentication and enabling it on NHS-facing products where appropriate.
  • Deploying effective monitoring and logging of critical IT infrastructure.
  • Ensuring backups that cannot be changed, with tested recovery plans.
  • Conducting board-level exercising.

The letter says the programme is not an audit and not a pass or fail exercise. Its stated purpose is to identify risk and agree proportionate remediation activity.

The Data Problem Reaches Research

The cyber warning is also landing in a wider health data debate. UK Biobank said in UK Biobank security review findings that, at the end of April 2026, it identified participant data being offered for sale on a consumer website.

Its questions and answers section says that in April 2026 it discovered de-identified participant data being offered for sale on a Chinese consumer website. It also says the listings were removed and that it is believed the listings identified in this case were not sold.

UK Biobank says information that could identify a participant, including name, address, date of birth and NHS number, is stored separately from the data made available to researchers. It also says downloading data from its platform and offering it for sale are clear breaches of UK Biobank policy, and that the individuals and academic institutions responsible have been banned.

The same review says No new linked health outcome data, including GP data, will be made available to researchers until recommended security measures are implemented. It says those measures include an output checking system intended to prevent de-identified participant data from being taken off the platform.

AI Adds Another Layer to the Risk

NHS England’s June risk paper says one of the new operational risks is medical device regulation compliance. It describes a possible impact on service continuity during structural change and a risk of an innovation freeze if NHS England cannot meet new regulatory requirements for AI-enabled technologies.

The National Cyber Security Centre’s annual review says agentic AI systems can operate without direct human oversight, pursue goals and adapt to changing environments. Its agentic AI security work also says these systems offer powerful cyber defence capabilities while introducing risks related to control, alignment and misuse.

UK Biobank’s review points to the same pressure from a data angle. Its recommendation on re-identification risk says the review needs to take account of current and prospective technology, particularly next generation AI models.

The NCSC annual review also says ransomware conducted by financially motivated criminals continues to be the most immediate, disruptive threat to critical national infrastructure sectors. In the same incident management section, it says health was among the top sectors reporting ransomware activity to the NCSC in the year it reviewed.

The July Exercise Will Test Recovery

NHS England’s risk paper says the July simulation is planned to evaluate NHS resilience to a significant cyber incident. The focus is the system’s ability to maintain critical services and coordinate a national response during a prolonged period of disruption.

The exercise is planned in phases. NHS England says a small number of NHS organisations will take part as a representative sample of the wider system, particularly at local level, with the learning used to inform system-wide preparedness.

That is the part of the warning local leaders can act on first. The board paper puts cyber above pandemic risk, the supplier letter names the control checks, and the July exercise is designed to test whether critical services can keep running when the network does not.

Related Topics:

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending