Major cyber security incident declared at Merseyside hospital

A “major incident” has been declared at Wirral University Teaching Hospital NHS Foundation Trust “for cyber security reasons”.

In a statement on the trust website, published on 25 November 2024, a spokesperson for the trust said that all outpatient appointments at the trust have been cancelled and the ongoing incident is likely to impact performance at Arrowe Park Hospital in Wirral.

“A major incident has been declared at the trust for cyber security reasons.

“Our business continuity processes are in place, and our priority remains ensuring patient safety.

“All outpatient appointments scheduled today are cancelled. We apologise for any inconvenience and we will contact our patients as soon as possible to rearrange.

“We urge all members of the public to attend the Emergency Department only for genuine emergencies. For non-urgent health concerns, please use NHS 111, visit a walk-in centre, urgent treatment centre, your GP, or pharmacist.”

The trust posted on X about the incident.

🚨 Incident Update 🚨
We are responding to a cyber security issue. Patient care remains our priority.

All outpatient appts today are cancelled—we will contact you to rearrange.

Please attend A&E only for emergencies.
For non-urgent care use NHS 111, a GP walk-in or pharmacist. pic.twitter.com/Yh7NO79Tsi

— Wirral NHS Hospitals – Arrowe Park & Clatterbridge (@WUTHnhs) November 26, 2024

A staff member told the Liverpool Echo: “Everything is down. Everything is done electronically so there’s no access to records, results or anything so we are having to do everything manually, which is really difficult. The damage is huge.”

A spokesperson from the National Cyber Security Centre (NCSC) said: “We are working with NHS England to fully understand the impact of an incident.”

The cyber attack is the latest to disrupt NHS services, following a ransomware attack on pathology provider Synnovis in June 2024, which led to 10,152 acute outpatient appointments and 1,710 elective procedures being postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS FT, and at least five cases of moderate patient harm.

NHS Dumfries and Galloway was also hit by a cyber attack in March 2024, which led to hackers publishing stolen patient information on the dark web.

Despite these attacks, Mike Fell, executive director of national cyber security operations at NHS England, told Digital Health News that cyber attacks “have plateaued, if not are on a downward trend, particularly against the NHS”.

According to the Department of Science, Innovation and Technology (DSIT) , the Cyber Security and Resilience Bill, which is due to be introduced to Parliament in 2025, will prevent attacks on the NHS.

In a statement published on 30 September 2024, the DSIT said: “This Bill will fill an immediate gap in our defences and prevent similar attacks experienced by critical public services in the UK, such as the recent ransomware attack impacting London hospitals.”

In September 2024, an updated cyber resilience framework for health and social care organisations was announced by the National Data Guardian and NHS England.

The change to how organisations measure and self-report their data security capabilities is part of the Department of Health and Social Care’s ‘Cyber security strategy for health and social care: 2023 to 2030’, which aims to align health and care with cyber resilience standards across other sectors.

NHS trusts are also taking action to strengthen their defences against cyber crime. In November 2024, Barts Health NHS Trust rolled out Cynerio’s healthcare-focused cyber security platform across all of its sites.

Fell will be speaking at Rewired 2025 at the NEC in Birmingham on 18-19 March 2025.