More than a million NHS patients’ details compromised after cyberattack

The ransomware attack targeted a data set holding details of patients at 200 hospitals
The ransomware attack targeted a data set holding details of patients at 200 hospitals

NHS details of more than a million patients have been compromised in a cyberattack, senior health chiefs have been warned.

A recent ransomware attack on the University of Manchester affected an NHS patient data set that holds information on 1.1 million patients across 200 hospitals, leaks to The Independent have confirmed.

Among the details potentially exposed are NHS numbers and the first three letters of patients’ postcodes.

The information – which includes records of major trauma patients across the country and people treated after terror attacks – was gathered by the university for research purposes.

In its warning to health officials, the university said it did not know how many patients were affected or whether names had also been hacked.

An NHS document seen by The Independent said specialist analysis had shown the university’s back-up servers were accessed, but it is not known who was behind the attack.

As a result of the incident, NHS chiefs were warned by UoM that there is “potential for NHS data to be made available in the public domain” and the data set has since been closed.

Some patients will not know they are on the database, launched in 2012, as they did not need to give consent to be recorded on it.

According to an investigation carried out by the university, analysis suggests around 250 gigabytes of its data was accessed.

In an unrelated incident on August 5 last year, a separate hack led to the outage of software used to access patient data across NHS 111, a dozen mental health trusts, community hospitals and out-of-hours GP services.

The outage lasted weeks and led to significant safety risks such as patients being prescribed the wrong dose of medication and clinicians being unable to properly assess mentally unwell patients.

The Independent previously reported on warnings from experts that the NHS could face further attacks due to fears that cybersecurity had been weakened following the pandemic.

Last weekend, 999 services were hit by a major incident as a technical fault experienced by BT Internet, which runs the lines, led to a delay in calls being transferred to ambulance services. Following the incident, patients were advised to call NHS 111 if they could not get through.

A University of Manchester spokesperson declined to comment regarding the NHS data, but did not deny the breach.

They said: “During the week commencing 5 June, we found out that the university was the victim of a cyber incident.

“We confirmed on 23 June that our systems have been accessed and student and alumni data has been copied. Individuals have been informed of this cyber incident and offered support and advice to further protect their data.

“Our investigations into the impact are ongoing and we are continuing to work with relevant authorities and partners, including the Information Commissioner’s Office, the National Cyber Security Centre (NCSC), the National Crime Agency, and other regulatory bodies.

“Our in-house data experts and external support are working around-the-clock to resolve this incident and respond to its impacts, and we are not able to comment further at this stage.”

A spokesperson for the ICO said: “We can confirm that we have received a report of a ransomware attack at the University of Manchester and are assessing the information provided.”

NHS England declined to comment.