NHS and UK public bodies caught in new wave of cyber attacks
The United Kingdom’s public sector is facing a new wave of cyber attacks, with the NHS and local councils again on the front line. In the past few days, one of the country’s largest hospital trusts has confirmed a fresh data breach, while London boroughs are still working under emergency conditions after shared council systems were hit.
These incidents go beyond IT disruption. They raise live questions about how safely health, tax, housing, and social care data are stored, and whether essential services can keep running when networks are locked, phones go down, or staff are forced back to pen and paper.
At the same time, the government is considering new laws that could restrict ransom payments by critical national infrastructure, including the NHS, even as hospitals and councils weigh the immediate risk to patients and residents when systems are offline.
This piece looks at what has actually happened in the latest NHS and council cyber attacks, why public bodies keep getting hit, and what could change for patients, residents, and staff if this pattern continues. It sets out the recent breaches, the politics and money around them, and the quieter technical weaknesses that attackers are now exploiting.
By the end, the central dilemma is clear: how to make public services “secure by default” without choking them with cost, red tape, or risky shortcuts.
The story turns on whether the UK can harden its public sector fast enough to keep hospitals and councils running safely as cyber attacks escalate.
Key Points
Barts Health NHS Trust has confirmed that files containing invoice data for patients, staff, and suppliers were stolen after criminals exploited a security flaw in widely used enterprise software.
Three London borough councils – Westminster, Kensington and Chelsea, and Hammersmith and Fulham – are still dealing with a major cyber security incident affecting shared IT systems and phone lines.
The NHS is also managing the long tail of the 2024 Synnovis ransomware attack, which disrupted pathology services, delayed thousands of appointments, and has now been linked in official statements to at least one patient death.
Ministers are weighing a proposed ban on ransom payments, with potential exemptions for critical national infrastructure like the NHS, amid concern that a strict ban could shut down hospitals or councils in severe incidents.
Cyber regulators have issued fresh alerts to UK organisations about exploitable software vulnerabilities, increasing pressure on under-resourced IT teams in health and local government to patch systems at speed.
The pattern points to a wider supply-chain problem: shared IT platforms, third-party suppliers, and legacy systems are giving attackers multiple ways into the public sector at once.
Background
Cyber attacks on the UK public sector are not new, but the recent cluster is striking.
In June 2024, pathology supplier Synnovis was hit by a ransomware attack that crippled IT systems and disrupted services at several major NHS trusts in London. In a written statement to Parliament this autumn, ministers confirmed that more than 11,000 appointments and procedures were delayed and that the incident was a factor in one patient’s death.
By late 2024, Synnovis had restored services, but the data fallout continued well into 2025 as stolen information was reviewed and affected patients were notified.
On the local government side, London has already seen one high-profile case: a severe ransomware attack on Hackney Council in 2020, which left housing and benefits systems damaged for months. That incident became an early warning of how deeply a successful cyber attack can cut into everyday services.
The latest NHS breach at Barts Health and the new wave of council attacks arrive against this backdrop, and in the middle of a national push to digitise health and public services, centralise data, and make better use of analytics.
At the same time, the UK’s cyber-security strategy has faced criticism for underestimating online threats, even as extremists and hostile states grow more active in cyberspace.
Analysis
Political and Geopolitical Dimensions
The recent NHS and council cyber attacks land in the middle of a wider debate about national security and the state’s responsibility to defend essential services.
Ministers want to show they are making the UK a hard target for ransomware groups and state-linked actors. A proposed ban on ransom payments is meant to remove the financial incentive driving many attacks. But health and local government leaders worry a blunt ban could leave them unable to restore systems quickly during a crisis when lives or essential services are at stake.
Internationally, the UK’s public bodies face both criminal gangs seeking profit and state-linked actors testing Western infrastructure. Hospitals and local authorities have become soft, high-value targets in global campaigns. That puts the NHS and councils on the front lines of geopolitically driven cyber pressure.
Major software vulnerabilities also create diplomatic complexities. When attackers exploit flaws in popular enterprise platforms, intelligence and law-enforcement agencies across allied nations often coordinate responses, as patches and warnings become part of a larger geopolitical effort.
Economic and Market Impact
Cyber attacks on health trusts and councils generate heavy financial strain. Emergency IT contracts, manual workarounds, overtime, and compensation for affected individuals quickly add up. The Synnovis incident alone is estimated to have cost tens of millions of pounds once disruption and recovery were included.
The Barts Health breach adds further expense, including forensic investigation, legal fees, and potential regulatory penalties if investigators find shortcomings in data protection practices. Suppliers reliant on NHS or council systems may also feel the impact, especially when invoice or procurement platforms slow down.
Cyber-insurance markets are watching closely. A cluster of large public-sector breaches could push premiums higher or narrow cover, especially for organisations that depend heavily on shared systems or outsourced technical services. Councils already under budget pressure may struggle to secure affordable cover in future.
Social and Cultural Fallout
For patients and residents, the headline concern is simple: their personal data may not be safe.
In east London, some patients are being told that invoice-related data about their care may have been accessed. Many will never see evidence of misuse, but others may face targeted phishing attempts or fraud if attackers combine the stolen information with details from previous breaches.
Residents in the affected London boroughs face similar disruption. Phone lines to council services have been unreliable. Online forms for housing support or council tax are slow or unavailable. Vulnerable people who rely on local authority contact for social-care support can be left anxious when they cannot reach staff.
Repeated incidents erode trust in digital public services. When people are asked to sign up for patient apps, online council accounts, or national data platforms, memories of previous breaches can make them hesitate. This adds friction in communities where digital exclusion is already a challenge.
Technological and Security Implications
The latest wave of cyber attacks exposes three intertwined weaknesses: legacy infrastructure, shared systems, and third-party suppliers.
Many NHS and council networks still depend on older software that is difficult to update. When new high-severity vulnerabilities emerge, IT teams must move quickly to understand where those components are used and how to secure them.
Shared IT platforms promise cost-savings and standardisation, but they also create single points of failure. The London council incident shows how a breach in shared infrastructure can take down multiple authorities at once, creating regional disruption from one successful attack.
Third-party vendors add further exposure. The Barts incident appears linked to a flaw in a major enterprise suite, while the Synnovis ransomware attack showed how compromising one specialist supplier can disrupt multiple hospitals. Every outsourced contract becomes a potential attack path if the supplier’s defences are weak.
What Most Coverage Misses
Coverage often focuses on ransomware notes, leaked data, or service delays. Less attention is given to the structural decisions that determine the severity of an incident.
One of those decisions is centralisation. Shared systems and national platforms can improve security if managed professionally and funded properly. But if built on ageing infrastructure or supported by small teams, they risk turning into single points of nationwide vulnerability.
Another overlooked factor is staffing. Many NHS trusts and councils have small IT and cyber-security teams stretched across routine support, urgent patching, and incident response. These teams compete with the private sector for specialists and often lose. Without sustained investment in people, the gap between attackers’ capabilities and defenders’ capacity will widen.
Why This Matters
The people most exposed are those who must share their data with public bodies: patients needing care, residents seeking housing support, taxpayers contacting local authorities, and small businesses relying on permits and payments.
In the short term, cyber attacks mean delayed appointments, jammed phone lines, and anxiety about stolen information. Front-line staff absorb the pressure as they try to explain complex and evolving incidents in plain language.
Longer term, these incidents intersect with wider issues: tight public finances, debates over how health data should be used, and rising geopolitical tension in cyberspace. If the NHS becomes both a target and a potential source of innovation through data, protecting that information becomes even more critical.
Events to watch in the coming months include updates from the affected councils and NHS trusts on the scale of data exposure, findings from the UK data regulator, guidance from national cyber-security agencies, and progress on proposed legislation concerning ransom payments and resilience standards.
Real-World Impact
A nurse in east London logs in to find certain systems slow or restricted as her trust completes security checks after the breach. She spends more time confirming details with patients because she is less confident about what might have been exposed or altered.
A housing officer at a London borough council cannot access usual case records because shared platforms are partially offline. Home visits, which depend on clear information about arrears or safeguarding notes, become more stressful as staff rely on printouts and manual records.
A small NHS supplier sees invoice payments delayed as financial systems undergo security reviews. Cash flow tightens, forcing the owner to seek temporary credit while waiting for payments to restart.
A resident with limited digital skills who depends on calling the council for support hits dead lines or long waits after the attack. For them, “cyber security” becomes the reason a benefits query or housing repair cannot be resolved.
Road Ahead
The latest cyber attacks on the NHS and UK public bodies reveal a familiar pattern growing sharper: attackers are moving faster and hitting shared systems and suppliers that sit behind many services at once. Each incident exposes technical flaws but also deeper questions about how the state funds, organises, and protects its digital backbone.
The central choice now is whether to treat cyber resilience as a core public-service cost, like staffing or medication, or as an optional add-on. That decision will shape how well hospitals and councils can withstand the next wave of attacks without placing patients and residents at risk.
Over the next year, the clearest signs of direction will be measurable: whether incident numbers rise or fall, whether major breaches lead to real reforms, and whether front-line teams see fewer workarounds and downtime days. If those indicators worsen, this “new wave” will start to look less like a spike and more like a sustained shift in the threat landscape.
