British hospital group declares ‘major incident’ following cyberattack

The NHS Trust responsible for a group of hospitals in northwest England has declared a “major incident” following a cyberattack, invoking the crisis management status for events that pose a serious risk to public health.

A statement on the website for Wirral University Teaching Hospital NHS Foundation Trust says: “A major incident has been declared at the Trust for cyber security reasons.”

The nature of the incident has not been disclosed. Outpatient appointments have been cancelled, and patients are being asked not to attend the hospital unless they have a “genuine emergency.”

“We apologise for any inconvenience and we will contact our patients as soon as possible to rearrange,” a spokesperson said.

The Trust is responsible for several hospitals and other health services in the Wirral —  a peninsula between the river Mersey in England and northeast Wales — including Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children’s Hospital.

A staff member at the Trust told local newspaper the Liverpool Echo: “Everything is down. Everything is done electronically so there’s no access to records, results or anything so we are having to do everything manually, which is really difficult. The damage is huge.”

The incident follows a series of cyber incidents that have impacted the United Kingdom’s health service this year, including a ransomware attack that caused a critical incident to be declared across several of London’s largest hospitals.

That attack, on pathology services provider Synnovis, had the knock-on effect of leaving national blood stocks in a perilous position, with an urgent call for O-type blood donations issued as doctors and nurses struggled to make blood matching tests.

Ultimately, more than 10,000 appointments and over 1,600 operations — including some for cancer treatments — were cancelled due to the disruption. Almost a million people are believed to have had their sensitive medical data leaked online as part of the criminals’ extortion attempt.

In a separate incident following that attack, every single household in the Scottish region of Dumfries and Galloway received a letter warning residents that their data was likely to have been accessed by cybercriminals who had hacked their local NHS Trust.

The government plans to address the country’s cybersecurity shortcomings with a new Cyber Security and Resilience Bill, currently expected to be introduced to parliament next year.