Cyber Incident Victim: National Health Service
Date:
Mar 2020
Location:
United Kingdom
Summary
During the COVID-19 pandemic, the National Health Service experienced a surge in phishing and spam email attacks targeting staff, with over 40,000 malicious messages reported over several months, including attempts to redirect salary payments through impersonation scams and credential theft via fraudulent links. Compromised NHSmail accounts were exploited to send additional malicious emails externally. Cybersecurity teams heightened awareness campaigns and promoted reporting mechanisms amid increased remote work vulnerabilities, while attackers leveraged pandemic-related confusion to target critical healthcare services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
During the COVID-19 pandemic, NHS staff faced a significant increase in malicious email campaigns between March and July 2020. Over 40,000 spam and phishing emails were reported to the NHSmail reporting address ([email protected]) during this period, with March seeing the highest volume at 21,188 reported incidents. Reported attacks declined in subsequent months but remained substantial: 8,085 in April, 5,883 in May, 6,468 in June, and 1,484 in the first half of July. NHS Digital acknowledged these figures likely underrepresented the true scale, as they only included emails formally reported through official channels. The attacks coincided with heightened pressure on healthcare services globally, with threat actors exploiting pandemic-related uncertainties. Specific campaigns included impersonation attempts targeting HR and payroll departments at St Helens and Knowsley Hospitals NHS Trust, where fraudsters requested bank account changes for salary diversion. Other phishing emails contained malicious links disguised as paycheck verification systems.
NHS Digital's cybersecurity teams responded by intensifying monitoring of NHSmail systems, revealing that 113 NHSmail mailboxes had been compromised to send malicious emails externally. Chief Information Security Officer Neil Bennett emphasized staff vigilance through the "Keep I.T. Confidential" awareness campaign, which promoted reporting of suspicious emails and reinforced remote work security protocols. Collaboration with the National Cyber Security Centre (NCSC) and other agencies helped disseminate threat intelligence across NHS organizations. Despite these measures, cybersecurity specialists like ESET's Jake Moore warned of impending "second wave" attacks exploiting vaccine-related developments and persistent remote work vulnerabilities. NHS Digital published additional remote work guidance while maintaining 24/7 security operations to protect patient data and critical care systems throughout the crisis. The sustained targeting highlighted healthcare's vulnerability during global emergencies, with email remaining the primary attack vector throughout the incident period.