NHS chiefs warn a 'catastrophic' cyber attack is now a bigger threat than another pandemic

By SHAUN WOOLLER, EXECUTIVE HEALTH EDITOR Published: 16:23, 5 June 2026 | Updated: 16:24, 5 June 2026 A ‘catastrophic’ cyberattack now poses a bigger threat to the NHS than another pandemic, health bosses have warned. Sir Jim Mackey, chief executive of NHS England, yesterday told a board meeting that the risk had grown ‘dramatically’ in the past few weeks alone. A new risk assessment published by the organisation this week shows it has increased its recorded risk level for cyber security to the highest possible grading of 25 out of 25. Describing the likelihood as ‘frequent’ and impact as ‘catastrophic’, it cautions the risk is unlikely to abate for at least four years. It means the impact is now considered the biggest single threat to the NHS. Mark Bailie, chair of the NHS England technology committee, told the board the NHS’s sprawling and patchily-updated information systems are 'a direct patient safety issue’. The non-executive director previously told the March board meeting that the cyber threat was a major area of weakness. Since then, it has emerged that patient data from UK Biobank – a government-supported research database – had been offered for sale on Chinese auction sites. Sir Jim Mackey, chief executive of NHS England, told a board meeting that the risk had grown ‘dramatically’ in the past few weeks alone. NHS suppliers are particularly vulnerable, with a lack of multi-factor authentication at pathology provider Synnovis allowing an attack in 2024 that led to blood test delays and a consequent patient death. Sir Jim said: ‘We’ve all been a bit uncomfortable about how well prepared we were to cope with potential risk. ‘But the risk environment has now changed really dramatically and is accelerating.’ He revealed NHS England is planning to send a message to local leaders to set out several ‘basic things’ all organisations must do to reduce risk, ‘because we’re in a very much different risk environment now, we need everyone to pull together’. The boss added: ‘We’re all tied together, and it’s a very connected system. So we need to all do what we need to do and stay agile to that as things develop.’ One cyber security expert told the Health Service Journal, a trade news website, that increased interoperability between systems and more use of AI had left the NHS more vulnerable. This includes new AI tools that can potentially identify and weaponise vulnerabilities in IT systems and apps. Mr Bailie said: ‘There are a series of new large language models like Mythos from Anthropic which will be released in the next four to six weeks. A new risk assessment published by NHS England this week shows it has increased its recorded risk level for cyber security to the highest possible grading of 25 out of 25. ‘These undoubtedly deliver a huge amount of capability for good and bad, about detecting vulnerabilities and how you might manage it, and therefore the attack surface will materially increase over the coming weeks. ‘The key to this is as the risks change, you’ve got to change the approach, and the team are taking it on, with full support from Jim, which has been great.’ Some NHS open source coding, for the likes of the NHS App, have been temporarily taken down from the internet because of the Mythos threat. HSJ reported last month that NHS England and the Department of Health and Social Care are this year prioritising funding bids for cyber security improvements and ambient voice technology, which can listen to conversations and create automated transcripts for doctors. The board risk assessment said NHS England had focused on ‘secure architecture, change management, cryptography, identity and access controls, and operational resilience measures like Cyber Security Operations Centre monitoring and backups’. ‘Additional safeguards cover vulnerability management, secure configuration, and supplier security,’ it said. ‘Mitigations focus on asset inventory, integrated assurance frameworks, legacy technology removal, insider threat monitoring and proactive vulnerability management.’ A major cyber security exercise is planned for next month, and NHS England is working on a comprehensive list of potentially vulnerable ‘organisational assets’. The HSJ says the ‘insider threat monitoring’ is likely in response to official and unofficial use of AI in the NHS, as well as third-party contractors. Cyber security consultant Saif Abed told the publication: ‘The recognition of this ongoing risk exemplifies the accelerating public health and national security threats facing the NHS stemming from both technology and a complex, ungoverned supply chain. ‘Although many mitigations are listed, I do not see significant discussion of how resiliency is to be built that preserves patient safety when disruptive attacks manifest. ‘The scale and clinical impact of cyber attacks will only grow with increasing interoperability and AI adoption across the NHS.’ No comments have so far been submitted. Why not be the first to send us your thoughts, or debate this issue live on our message boards. By posting your comment you agree to our house rules. Do you want to automatically post your MailOnline comments to your Facebook Timeline? Your comment will be posted to MailOnline as usual. Do you want to automatically post your MailOnline comments to your Facebook Timeline? Your comment will be posted to MailOnline as usual We will automatically post your comment and a link to the news story to your Facebook timeline at the same time it is posted on MailOnline. To do this we will link your MailOnline account with your Facebook account. We’ll ask you to confirm this for your first post to Facebook. You can choose on each post whether you would like it to be posted to Facebook. Your details from Facebook will be used to provide you with tailored content, marketing and ads in line with our Privacy Policy.