Nine Years, Zero Consequences, Thousands of Patients: The NHS Cybersecurity Scandal Nobody Is Held Accountable For

From WannaCry to Synnovis to Today's Disclosure: A Patient's Data Was Never Safe, and Those Responsible Have Never Faced Justice

Analysis | June 2026

The Latest Disclosure — And Why It Matters That You Are Already Tired of Reading These

This week, the Mid and South Essex NHS Foundation Trust confirmed that 2,380 patient records were among data stolen in the Synnovis ransomware attack — an incident that first came to light in June 2024. The stolen data, taken from Synnovis systems that processed blood, urine and tissue samples for hospitals in Chelmsford, Basildon, and Southend, may include names, dates of birth, NHS numbers, and medical test results. The trust says it was notified of the breach in December 2025 — eighteen months after the original attack. It is now working to identify and contact affected patients.

This disclosure came days after Bedfordshire Hospitals NHS Foundation Trust confirmed that nearly 33,000 of its patients were also affected by the same attack — an attack for which the Russia-based cybercriminal group Qilin has claimed responsibility, and which originally struck in June 2024. As of June 2026 — two years on — the full scale of the breach is still being established.

Lee Sult, Chief Investigator at cybersecurity firm Binalyze, captured the situation with devastating precision: "If we're still trying to determine the true scale two years later, it's less an investigation than a slow-burn crisis."

He is right. But this is not a new crisis. It is the continuation of a crisis that began, in its current form, on May 12, 2017.

The Inventory of Failure: 2017 to 2026

Let us be precise about the record, because precision is what accountability requires.

May 2017 — WannaCry. The WannaCry ransomware encrypted data on 230,000 computers in 150 countries. The NHS was not a specific target; it was simply one of the most vulnerable networks exposed. The attack affected 81 NHS Trusts in England, disrupted a third of NHS organizations, forced the cancellation of approximately 19,000 appointments, and cost the NHS an estimated £92 million in lost activity and IT remediation costs. The root cause was not sophisticated: a majority of the impacted systems were running Windows XP — an operating system Microsoft had retired in 2014 and for which it was no longer providing security patches. The NHS had been warned, repeatedly, that its reliance on legacy operating systems was a critical vulnerability.

The National Audit Office report that followed was scathing. NHS Digital had flagged the risks to trusts before the attack. At least one government health organization had been sent the patch that would have prevented infection five weeks before WannaCry struck. Ninety percent of the organizations affected had not installed it. The attack was preventable.

October 2022 — Advanced Computer Software Group. A ransomware attack on Advanced, an NHS IT partner, took offline seven health systems including patient check-in software, medical notes systems, and the NHS 111 non-emergency service. Some GP surgeries were forced to take patient notes on paper. Doctors told the BBC the backlog would take months to process. The personal information of 82,946 people was stolen — including, grotesquely, information on how to gain entry to the homes of 890 people receiving care at home. In 2024, the Information Commissioner's Office issued a provisional fine of £6 million against Advanced. The breach was linked to the absence of two-factor authentication on a single user account.

The attackers gained access through a poorly protected customer account. Not a zero-day exploit. Not a nation-state operation. The absence of a basic, widely available, essentially free security control.

June 2024 — Synnovis / Qilin. A ransomware attack on Synnovis — a pathology services partnership operating for Guy's and St Thomas' NHS Foundation Trust and King's College Hospital — led to the declaration of a Critical Incidentby NHS England. The attack caused complete lockdown of Synnovis's systems, limiting access to pathology services and severely disrupting patient diagnostics, blood transfusion processing, and result reporting. Blood transfusions were particularly affected, which led to cancelled operations, almost 200 of them relating to cancer treatments. NHS England later confirmed the disruption led to the cancellation of 10,152 outpatient appointments and delay of 1,710 elective procedures. It took 16 weeks for services to return to near-normal levels. Qilin ultimately leaked 400 GB of sensitive patient data on the dark web when a reported $50 million ransom demand was not met.

The consequences of the Synnovis attack have now been confirmed to include the death of a patient, with delays in blood test results confirmed as a contributing factor.

A person died because a ransomware group attacked a pathology services provider. We should not allow that sentence to be normalized by proximity to other statistics.

November–December 2024 — Merseyside. Four hospitals in Merseyside were targeted by cyberattacks in the final weeks of 2024. The pattern repeated: systems disrupted, patient services affected, investigations initiated.

2025 — Ivanti Exploit. NHS organizations were among those compromised through an Ivanti EPMM vulnerability. The cycle continues.

2026 — Ongoing Synnovis Disclosures. Two years after the Synnovis attack, NHS trusts are still discovering how many of their patients were affected. Thousands more records are being confirmed as stolen, notified to trusts in batches, disclosed in rolling increments that extend the victims' uncertainty indefinitely.

Nine Years of Frameworks, Strategies, and Action Plans

The most maddening aspect of this record is that it has not occurred in the absence of awareness, investment, or regulatory response. The opposite is true. The NHS has produced more cybersecurity strategies, frameworks, toolkits, and action plans than almost any public institution in the world. The frameworks are comprehensive. The guidance is detailed. The problem is that none of it has reliably translated into the operational security that patients deserve.

Post-WannaCry reforms. The 2017 attack prompted substantial capital investment to upgrade systems and improve cybersecurity capabilities across the NHS. The government committed hundreds of millions. NHS Digital published guidance. The Care Quality Commission incorporated cybersecurity into its inspection regime. The National Cyber Security Centre (NCSC) established dedicated NHS engagement programs.

The Data Security and Protection Toolkit (DSPT). Since 2018, every organization accessing NHS data or systems has been required to complete an annual self-assessment against the National Data Guardian's 10 Data Security Standards. Version 8, published in 2025/26, introduced the most significant changes since the toolkit launched — full alignment with the NCSC Cyber Assessment Framework (CAF), moving from checklist-style compliance to evidence-based, outcome-driven assurance, with mandatory independent audits for the largest organizations.

The Cyber Assessment Framework. NHS England mandated CAF alignment from 2024/25 onward for NHS Trusts and Integrated Care Boards. This framework covers governance and supply chain assurance, vulnerability management, monitoring, logging, data protection rights, and incident response readiness.

The 2025 Supplier Charter. In May 2025, NHS England and the Department of Health and Social Care issued an open letter to supplier CEOs asking them to sign a charter of cyber security best practice, emphasizing eight principles aimed at fortifying NHS supply chains — including the implementation of multi-factor authentication. The letter had to be written at all because, in 2022, a supplier providing systems to the NHS had not implemented MFA on a customer account.

The NCSC Collaboration Plan. In April 2026, the NCSC outlined a coordinated plan to boost NHS cyber resilience, emphasizing inter-organizational collaboration, shared lessons, and coordinated risk reduction. It was described as showing "what is possible when organizations align around a shared goal."

What is possible is not what is happening. The record of the past nine years is what is happening.

Who Is Accountable? The Question Everyone Avoids

The word "accountability" appears in every NHS cybersecurity strategy ever published. Its practical application has been almost entirely absent from the response to every major breach.

Let us trace the accountability chain in the Synnovis incident and ask at each level where it breaks down.

Qilin, the criminal group. Yes, they are responsible for the attack. They are a Russia-based organized crime group operating with effective impunity from a jurisdiction that does not extradite to the UK and does not prosecute ransomware attacks against Western institutions. Criminal accountability, in this case, means nothing practically.

Synnovis. The pathology services provider was the immediate victim. But it was also the custodian of sensitive patient data for NHS organizations across London, and its cybersecurity posture at the time of the attack has not been publicly disclosed in detail. The ICO has opened proceedings. Whether Synnovis, like Advanced in 2022, will ultimately receive a fine that represents a fraction of the damage its breach caused — and continue operating — remains to be seen.

The NHS Trusts that contracted Synnovis. They trusted a third-party supplier with sensitive patient data. Their due diligence on that supplier's cybersecurity posture is not public. Their contractual requirements around supplier security standards are not public. Their incident response processes — including the timeline for identifying which patient records were affected (18 months, in the case of Mid and South Essex) — raise serious questions about internal data governance capabilities.

NHS England / NHSX / NHS Digital. The central NHS bodies responsible for cybersecurity strategy and guidance. They have produced frameworks, toolkits, and advisory letters. They have not, to date, produced a publicly accountable root cause analysis of why a pathology services provider contracted by major London NHS trusts had sufficient vulnerability to a ransomware attack to enable the theft of data affecting tens of thousands of patients and the disruption of care sufficient to contribute to a patient's death.

The Department of Health and Social Care / Government. Ultimate political accountability. The NHS cybersecurity budget has increased since 2017, but NHS organizations consistently report that chronic underfunding means cybersecurity competes with clinical care for resources that are not sufficient for both. Legacy systems — the root cause of the WannaCry vulnerability — remain widespread across the NHS in 2026. The 2017 National Audit Office report noted that the NHS had repeatedly been told about its legacy system risks. That recommendation has never been fully actioned. Nine years and multiple attacks later, it remains only partially addressed.

The Information Commissioner's Office. The ICO is the formal regulatory accountability mechanism. In the Advanced case, its initial response was a £6 million provisional fine for a breach affecting 82,946 people. That fine was ultimately reduced to £3.07 million — after the ICO cited the strain on public sector organizations in its reasoning for reduction. The message that sends — that breaching the data of 82,946 people will cost approximately £37 per record, and may be reduced further out of sympathy for the organization's financial position — is not a message that drives systemic behavior change.

The Systemic Pathology: Why the Frameworks Are Not Working

The question is not whether frameworks exist. They do. The DSPT is comprehensive. The CAF is rigorous. The NCSC guidance is detailed and current. The question is why excellent frameworks coexist with persistent catastrophic failures.

The compliance-versus-security gap. The NHS DSPT, like ISO 27001 and similar frameworks, measures whether organizations can demonstrate compliance with standards. Compliance is not security. An organization can complete its DSPT self-assessment, pass its annual audit, and still have a critical vulnerability in a supplier's single-factor authenticated account because the assessment framework measures policies, processes, and controls — not the actual adversarial resilience of the system. The 2022 Advanced breach occurred in an organization that was presumably compliant with supplier security requirements at the time of the attack. A single unprotected customer account was all the attackers needed.

The supply chain accountability gap. The NHS directly employs hundreds of thousands of people. Its extended supply chain — IT providers, pathology services, laboratory services, software vendors, managed service providers — encompasses thousands of organizations, each with its own cybersecurity posture. NHS England's 2025 Supplier Charter was an acknowledgment that this gap exists. A voluntary charter asking supplier CEOs to commit to best practices is not a contractual control, a technical requirement, or a regulatory obligation. It is a politely worded request.

The third-party breach notification gap. The Synnovis breach occurred in June 2024. Mid and South Essex NHS Foundation Trust was informed of its specific patient records being affected in December 2025 — eighteen months later. Bedfordshire Hospitals confirmed nearly 33,000 affected patients more than a year and a half after the attack. This timeline is not merely a failure of investigation velocity. It reflects the reality that the NHS's data architecture — patient records spread across extensive networks of internal systems and external suppliers — makes it structurally difficult to determine which patient's data was held on which system at the time of which breach.

This is a known problem. It is a known consequence of fragmented data governance, inadequate information asset registers, and incomplete logging and monitoring. The Cyber Assessment Framework mandates improvements in all three areas. The time it is taking to establish the scale of a 2024 breach in 2026 suggests these improvements are not yet operationally effective.

The legacy system dead weight. Healthcare is one of the sectors most exposed to cyberattacks partly because of the vulnerability of systems that often run on legacy platforms. This has been true since WannaCry. It is still true in 2026. NHS organizations running on legacy infrastructure cannot implement modern security controls — not because of ignorance or negligence, but because the clinical and operational systems that the legacy platforms support are critical, replacement timelines are long, and budgets have never been sufficient for comprehensive modernization. The government has made capital available for upgrades, but not at the scale or pace required to eliminate the vulnerability.

This is ultimately a political and fiscal decision that has not been made. Patient data is paying the price.

The asymmetric economics of ransomware in healthcare. Healthcare data is estimated to be more valuable on the dark web than credit card data, because it is immutable, comprehensive, and difficult to invalidate. A stolen credit card number becomes worthless when the card is canceled. A stolen NHS record — containing medical history, dates of birth, NHS numbers, address history, medication records — remains valuable for years. Healthcare systems face a threat actor economics problem that other sectors face to a lesser degree. Yet healthcare cybersecurity spending, as a proportion of IT budgets, consistently lags behind financial services — the sector that has, largely, managed to bring financial cybercrime under systemic control through mandatory, enforced, consistently funded security requirements.

The Patient's Perspective: Invisible in the Accountability Conversation

Somewhere in this week's disclosure is a patient in Essex who had a specialist diagnostic test. They may have had a blood test that revealed a cancer diagnosis, a pregnancy complication, an HIV status, a neurological condition. That result — intimate, life-altering, medically sensitive — has been in the hands of Qilin since November 2025, and on the dark web since Synnovis confirmed the publication. That patient will receive a letter from their NHS trust. The letter will explain what happened, what data may have been exposed, what steps they can take. It will express regret.

It will not name anyone who has been held personally accountable. It will not describe what structural changes have been made to ensure it does not happen again. It will not explain why it took eighteen months to establish that their data was in the breach.

This is not a criticism of the trust staff writing the letters. They are also, in many cases, working in systems they did not design, on infrastructure they cannot fully control, within budgets that do not allow them to do what they know should be done.

What Accountability Would Actually Look Like

The current accountability architecture has three primary mechanisms: ICO fines, parliamentary scrutiny, and reputational consequences. All three are insufficient.

ICO fines on NHS suppliers and trusts ultimately come from public money. Fining an NHS trust for a data breach — money that would otherwise fund patient care — creates a moral hazard that the ICO itself has acknowledged by reducing fines on the grounds of public sector financial strain. Fines on third-party suppliers like Advanced and potentially Synnovis create some deterrent, but the amounts involved bear no proportionate relationship to the harm caused.

What genuine accountability would require:

Personal liability for Board-level executives who can demonstrate that they were aware of material cybersecurity risks and failed to act. The Advanced 2022 breach turned on the absence of MFA on a single account. That is not a technical failure — it is a governance failure. Governance failures have governance accountable parties.

Mandatory public root cause analysis within a fixed timeframe after any breach affecting more than a defined number of patient records, with specific disclosure of what controls failed, why, and what contractual or regulatory oversight permitted the failure to persist.

Outcome-based supplier contracts that impose proportionate financial liability on IT and service suppliers when breaches occur in systems under their control, rather than the current regime in which suppliers accept nominal security obligations but face limited direct financial consequences for systemic failures.

Independent verification of DSPT compliance — which the 2025/26 reforms are beginning to introduce — but with a material consequence for failure to meet standards beyond delayed contract approval. Sustained failure to meet DSPT requirements should trigger operational review, not just administrative procedure.

A dedicated NHS Cybersecurity Accountability Commissioner with powers analogous to the Health Service Safety Investigations Body — able to conduct independent, no-fault investigations into major cybersecurity incidents, with authority to make recommendations binding on NHS England, suppliers, and government.

A Final Word: On the Language of Inevitability

The most insidious aspect of how NHS cybersecurity failures are reported and processed is the gradual normalization of breach as an inevitable condition of operating in healthcare. Reports describe the threat landscape as though ransomware attacks on hospitals are forces of nature rather than consequences of specific decisions — to under-invest, to retain legacy systems, to accept nominal supplier security standards, to make compliance theater substitute for operational security.

They are not inevitable. The financial sector, under regulatory pressure that has no equivalent in healthcare, has reduced the incidence of catastrophic systemic cyber failures substantially. It did so not because the threat actors targeting banks are less sophisticated than those targeting hospitals — they are not — but because the consequences of failure are imposed on decision-makers proportionate to the harm caused, and the investment required to reduce risk is therefore made.

Healthcare has not made that bargain. It has instead produced frameworks, published toolkits, written charters, and watched the patient data of hundreds of thousands of people be stolen, published, and traded — again and again and again.

In 2017, WannaCry showed what was possible when a poorly patched NHS network met a mass exploitation tool. We published reports. We invested in remediation. We wrote strategies.

In 2022, Advanced showed what was possible when a single unprotected account met an organized criminal group. We issued a fine. We published guidance on MFA.

In 2024, Synnovis showed what was possible when a critical pathology services provider had sufficient vulnerability to allow the theft of data affecting tens of thousands of patients and the contribution to a patient's death. We are still finding out who was affected.

In 2026, we are writing about it again.

At some point, the question is not what the frameworks say. The question is why the people responsible for implementing them face no personal consequence when they fail — and whether we as a society are prepared to keep accepting "lessons will be learned" as the final answer when someone's medical records end up on the dark web.

Because the lessons, clearly, have not been learned.

Sources: BBC News; Computing.co.uk; The Lancet Digital Health; National Audit Office (WannaCry Report); Information Commissioner's Office; NHS England; Hill Dickinson Healthcare Law; Infosecurity Magazine; Binalyze; CM-Alliance Synnovis Timeline; NCSC; NHS DSPT Toolkit Documentation 2025/26.