NHS has blocked over 11m cyber attacks over the past three years

The NHS has blocked a total of 11.4 million malicious emails over the last three years according to a Freedom of Information request sent by Centrify.

NHS Digital responded to the request stating that out of the 11.4 million, over six million were blocked due to IP or domain reputation attacks, whilst 3.6 million accounted for spam and 852,000 accounted for malware-borne attacks. 

Due to the malicious emails, NHS Digital stated that it did not hold data on financial losses to the public. 

The NHS still remains vulnerable to cyber attacks, with a whitepaper by Imperial College, stating that due to a combination of outdated computer systems and a lack of skills and awareness in cyber security, NHS hospitals are still at risk. 

The infamous WannaCry attack resulted in the cancellation of 19,000 appointment and operations and staff being unable to gain access to patient data and critical services in around 34 NHS trusts. It cost the NHS an estimated £92 million. 

Last year, the Department of Health and Social Care announced an investment of £150m over the next three years to improve NHS IT resilience. 

Dr Saira Ghafur, lead author of the whitepaper from the IGHI commented:

“NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats.”

However the extra funding has come under scrutiny, with many arguing that further investment and awareness is needed at all levels of the health system.

Andy Heather, Centrify VP said:

“It’s clear that hackers view the NHS as a top target with growing volumes of email attacks deliberately designed to fool doctors, nurses and other health service workers into handing over confidential data.

“Increasingly we’re seeing cyber-criminals gaining access to private information like patient records using legitimate log-in details which have been stolen or sold online. All too often this means that malicious activity remains undetected before it’s too late, so it’s vital that hospitals adopt a zero-trust approach to all user activity, ensuring every employee is verified and they are who they say they are.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.