The key NHS data breach and cyber attack statistics in one place — why health tops the ICO's breach reports, what the Synnovis and Advanced supplier attacks did to patients and appointments, the first UK death publicly linked to a cyber attack, and the WannaCry baseline, with the data period stated next to every figure.

Health is consistently the most-reported personal-data-breach sector in the UK, and the NHS supplies the country's most serious named cyber cases. The reliable figures come from a short list of official sources: the Information Commissioner's Office (ICO) Data Security Incident Trends dataset, NHS England's incident reporting on the Synnovis attack, a written statement to the UK Parliament, ICO enforcement notices, a peer-reviewed study in The Lancet Digital Health, and the National Audit Office (NAO) investigation into WannaCry.

This page brings those figures together and is scoped to the health sector: the ICO health-sector share, the two named NHS-supplier incidents (Synnovis in 2024 and Advanced in 2022), their patient-safety impact, and the 2017 WannaCry baseline. Every figure carries its data period, and every source is linked in full at the end.

Key facts and figures

  • 3,820 personal-data breaches were self-reported to the ICO by the health sector across 2023–Q1 2025 — the most of any UK sector.
  • 11,000+ outpatient and elective appointments were postponed across south-east London after the June 2024 Synnovis ransomware attack.
  • ~600 patient-safety incidents were linked to the Synnovis attack, including cases of severe and moderate harm.
  • 1 patient death has been publicly confirmed as linked to the Synnovis attack — the first such case in the UK.
  • £32.7m was the estimated financial impact of the Synnovis attack in 2024.
  • £3.07m was the ICO fine issued to NHS supplier Advanced in March 2025 — its first penalty against a data processor under UK GDPR.
  • 79,404 people had personal data put at risk by the 2022 Advanced ransomware breach.
  • ~19,000 appointments were cancelled in a single week by the 2017 WannaCry attack, which disrupted more than 80 hospital trusts.

These are the latest figures available as of July 2026, and this page is updated as new data lands — the ICO's Data Security Incident Trends dataset refreshes quarterly (including the health-sector rows), NHS England updates its Synnovis reporting as the incident develops, and the NAO and Parliament report periodically on NHS cyber resilience.

Which sector reports the most data breaches to the ICO?

Health is the UK's most-reported data-breach sector, with 3,820 self-reported personal-data breaches to the ICO across 2023–Q1 2025 — ahead of education and childcare (3,246), retail and manufacturing (2,385) and finance, insurance and credit (2,175), according to an analysis of ICO records by Reward Gateway/Edenred reported by IT Brief. Health has held or shared the top spot in the ICO's incident data for several years running.

Two things drive that ranking, and neither is simply "the NHS is careless". First, healthcare processes special-category data at enormous scale — every patient interaction generates sensitive records — so the base of data at risk is vast. Second, the sector has a strong reporting culture and a dense web of statutory duties, so breaches that might go unrecorded elsewhere are logged and reported. The figure measures reported incidents, not necessarily the true relative rate of failure.

This page owns the health-sector slice of the ICO data. The full cross-sector comparison — how every industry stacks up, and the split between cyber and non-cyber causes — lives on our UK data breach statistics page, and the share caused by staff mistakes rather than attackers is broken down on our human error data breach statistics page.

What is the biggest NHS data breach or cyber attack in the UK?

By patient impact, the Synnovis ransomware attack of 3 June 2024 is the most serious NHS cyber incident on record — it is the first UK case in which a cyber attack has been publicly confirmed to have contributed to a patient's death, and it disrupted care for tens of thousands of people across south-east London. Synnovis is a pathology partnership serving King's College Hospital NHS Foundation Trust and Guy's and St Thomas' NHS Foundation Trust, and the attack crippled blood-testing and diagnostics across both.

By sheer scale of disruption, the 2017 WannaCry attack remains the largest single event: it hit more than 80 hospital trusts in one week. And by regulatory outcome, the 2022 Advanced breach produced the largest NHS-related ICO fine to date. The three sit at the top of the modern NHS record for different reasons:

IncidentWhenWhat happenedHeadline patient impact
Synnovis (pathology supplier)3 June 2024Qilin ransomware crippled pathology services at two London trusts11,000+ appointments postponed; ~600 patient-safety incidents; 1 confirmed linked death
Advanced (software supplier)August 2022LockBit ransomware via an account without multi-factor authenticationNHS 111 disrupted; records inaccessible for weeks; 79,404 people's data at risk
WannaCryMay 2017Global worm exploiting unpatched Windows systems80+ trusts disrupted; ~19,000 appointments cancelled in a week

Synnovis and Advanced were both attacks on NHS suppliers, not on the NHS directly — a pattern that now defines health-sector cyber risk. At the attack-type level, both incidents are covered on our UK ransomware statistics page, which owns the national ransomware totals; this page owns them at the sector and patient-impact level.

How many NHS appointments were cancelled by the Synnovis cyber attack?

The Synnovis attack led the two NHS foundation trusts to postpone 10,152 acute outpatient appointments and 1,710 elective procedures in the period immediately after 3 June 2024, according to a study published in The Lancet Digital Health in May 2025 drawing on NHS England data. By the time NHS England's forensic investigation was completed, the total had grown: by November 2025 the incident had caused delays to more than 11,000 outpatient and elective procedure appointments across south-east London, per NHS England's Synnovis incident hub (update of 10 November 2025).

The postponements reached into the most time-critical care. They included more than 100 cancer treatments and 18 organ transplants across King's College Hospital and Guy's and St Thomas', based on hospital reporting from June 2024. Pathology sits underneath almost every clinical decision — a hospital that cannot run blood tests cannot safely proceed with surgery, transfusion or transplant — which is why an attack on a testing supplier cascaded so widely through routine and emergency care alike.

How many patients were harmed by the Synnovis attack?

Nearly 600 patient-safety incidents were linked to the Synnovis attack, according to NHS data reported in January 2025. Revised harm figures record the severity of those incidents: 2 cases of severe harm, 11 of moderate harm and more than 120 of low harm across at least four London boroughs, per NHS data obtained by Bloomberg News in January 2025.

The most serious consequence came later. In June 2025, King's College Hospital NHS Foundation Trust confirmed that a patient death was linked to the attack — a long wait for a blood-test result was a contributing factor. It is the first case in the UK where a cyber attack has been publicly confirmed to have contributed to a death, and it moved the debate about healthcare cyber security from data protection into direct patient safety.

The data itself was not only delayed but stolen and published. The Qilin ransomware group leaked about 400GB of stolen data — including HIV, STI and cancer test results — after a $50m (about £39m) ransom deadline expired in June 2024, according to the group's dark-web leak site. That combination of operational disruption and the exposure of the most sensitive special-category health data is what makes supplier ransomware uniquely damaging in a healthcare setting.

How much did the Synnovis attack cost?

The financial impact on Synnovis was estimated at £32.7m in 2024, according to Digital Health News reporting in January 2025, a figure also reflected in the UK Government's written statement to Parliament (HCWS1046, 12 November 2025) on cyber security and resilience. That figure covers the direct hit to the pathology provider; it does not capture the wider cost to the two trusts of cancelled activity, recovery work and the clinical harm described above.

The Synnovis cost sits alongside the broader NHS cyber bill. For comparison at the national attack-type level — average UK ransomware recovery costs, the biggest systemic events and how many victims pay — see our UK ransomware statistics page. The financial impact of a supplier attack rarely stays with the supplier: it flows through to the health bodies that depend on it, and ultimately to patients whose care is delayed.

What was the ICO fine for the Advanced NHS breach?

The ICO fined NHS software supplier Advanced Computer Software Group £3,076,320 (£3.07m) in March 2025 — its first monetary penalty against a data processor under UK GDPR — cut from a provisional figure of £6.09m, according to the ICO and reporting by Pinsent Masons' Out-Law. The penalty is a landmark because it establishes that a processor, not only the controller that hired it, can carry direct regulatory liability for a security failure.

The underlying breach was severe. The 2022 Advanced ransomware attack put the personal data of 79,404 people at risk, including details of how to gain entry to the homes of 890 people receiving care at home; the entry point was a customer account with no multi-factor authentication. The attack also disrupted NHS 111 and left staff unable to access patient records for weeks, per the ICO and Pinsent Masons. A single missing control — MFA on one account — was enough to compromise a supplier serving critical national health infrastructure.

Advanced appears here as a health-sector case study. The full penalty ledger, how the ICO calculates fines and the wider enforcement trend live on our GDPR fines and enforcement statistics page, and the 72-hour breach-reporting duty these incidents engage is set out in our data breach response guide.

How bad was the WannaCry attack on the NHS?

The 2017 WannaCry attack disrupted more than 80 hospital trusts — and affected 236 trusts overall — plus 595 GP practices, cancelling around 19,000 appointments in a single week, according to the National Audit Office's 2018 investigation. WannaCry was not aimed at the NHS specifically; it was a global ransomware worm that spread through unpatched Windows systems, and the NHS was caught because many of its machines had not applied a security update that had been available for weeks.

The attack cost the NHS an estimated £92m — about £20m lost during the attack itself and £72m in IT restoration afterwards, per figures from the Department of Health and Social Care cited by the NAO. WannaCry is the historical baseline against which every later NHS incident is measured: it proved that basic cyber hygiene — patching, supported operating systems, network segmentation — is a patient-safety issue, and it prompted the DSPT and CAF assurance regimes the NHS runs today. The lesson recurred with Synnovis and Advanced, where the failure points were again mundane: an unpatched dependency, a single account without MFA.

Frequently asked questions

What is the biggest NHS data breach or cyber attack in the UK?

By patient impact, the Synnovis ransomware attack of June 2024 — it postponed more than 11,000 appointments, was linked to nearly 600 patient-safety incidents, and is the first UK cyber attack publicly confirmed to have contributed to a death. WannaCry (2017) caused the largest single-event disruption, hitting more than 80 trusts and cancelling around 19,000 appointments in a week, and the 2022 Advanced breach produced the largest NHS-related ICO fine at £3.07m.

How many NHS appointments were cancelled by the Synnovis cyber attack?

The two affected trusts initially postponed 10,152 acute outpatient appointments and 1,710 elective procedures (per The Lancet Digital Health, May 2025). By November 2025 the total had grown to more than 11,000 outpatient and elective appointments, according to NHS England — including over 100 cancer treatments and 18 organ transplants.

Has anyone died because of an NHS cyber attack?

Yes. In June 2025, King's College Hospital NHS Foundation Trust confirmed that a patient death was linked to the Synnovis attack, with a long wait for a blood-test result identified as a contributing factor. It is the first case in the UK where a cyber attack has been publicly confirmed to have contributed to a death.

Which sector reports the most data breaches to the ICO?

Health. The sector self-reported 3,820 personal-data breaches to the ICO across 2023–Q1 2025 — more than education and childcare (3,246), retail and manufacturing (2,385) or finance (2,175), per an analysis of ICO records reported by IT Brief. Large volumes of special-category data and a strong statutory reporting culture both push the health figure to the top.

What was the ICO fine for the Advanced NHS breach?

£3,076,320 (£3.07m), issued in March 2025 — the ICO's first monetary penalty against a data processor under UK GDPR, reduced from a provisional £6.09m. The 2022 ransomware attack it related to put 79,404 people's data at risk and disrupted NHS 111, entering via a customer account that lacked multi-factor authentication.

Sources & references

Most NHS and supplier breaches trace back to everyday failures — a missed patch, a single account without MFA, a mishandled record. Train your team to handle personal data safely and meet UK GDPR duties.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, workplace compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.