This site is intended for health professionals only

600 practices affected in NHS hack attack, finds public auditor

Around 600 GP practices were affected by the IT attack that caused havoc in the NHS earlier this year, a report by the National Audit Office has found.

The report found that 595 practices were locked out of their systems on the 12 of May, when infected by the malicious ‘WannaCry’ programme which demanded a ransom before it could be unlocked.

The ‘WannaCry cyber attack and the NHS’ investigation report identifies a further 71 practices may have been locked out of their systems if the attack had not been snuffed out early thanks to the intervention of cyber security expert.

And MPs said the Department of Health needed to ‘get serious’ about cyber security after it had failed to make contingency plans for ensuring trusts could operate without their IT systems.

Proportionally the bug had a greater impact on hospitals,with the report noting that 81 of the 236 NHS trusts (34%) were affected by the attack – leading to an estimated 19,000 cancelled appointments and patients being forced to travel further afield to get treatment.

However, it can’t estimate the impact of lost GP appointments and ambulance disruption.

It says ‘A further 603 primary care and other NHS organisations were also infected, including 595 GP practices.

‘NHS England did not collect data on how many GP appointments were cancelled or how many ambulances and patients were diverted from the accident and emergency departments that were unable to treat patients.’

The NHS says no patient data was lost and no organisations paid the ransom, but the report concludes much of the disruption could have been avoided if organisations had installed routine operating system updates.

Meg Hillier MP, chair of the Commons Public Accounts Committee said: ‘The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment. Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.

‘The Department of Health failed to agree a plan with the NHS locally for dealing with cyber attacks so the NHS response came too late in the day.

‘The NHS and the Department need to get serious about cyber security or the next incident could be far worse.’

Prior to the attack, the CQC announced it would be inspecting practices’ data security and governance as part of its new inspection regime.