Healthcare's reckoning — Peter Bassill

Three months of attacks have produced a clarifying set of numbers. £32.7m at Synnovis. 150,000 households warned at NHS Dumfries and Galloway. At least one patient death attributed. Healthcare is where concentration risk meets the lowest acceptable downtime threshold.

Three things happened in UK healthcare in the last three months that, taken together, are forcing a reckoning the sector has been postponing for two years.

NHS Scotland experienced a cyberattack in March 2026 that caused network outages across multiple health boards, disrupting clinical systems and leading to delayed patient care. NHS Dumfries and Galloway suffered a separate incident in which 150,000 households were warned of potential data exposure and three terabytes of sensitive data — including x-rays and test results — was published online. And the Synnovis incident, whose direct costs have now reached £32.7m, has been linked to at least one patient death.

This is the sector where concentration risk meets the lowest acceptable downtime threshold. It is also the sector where the consequences are no longer abstract.

Why healthcare lands first

Three structural properties make healthcare uniquely exposed to the kinds of attack we have seen in 2025 and 2026.

Concentration. A small number of vendors supply the systems that underpin large fractions of the sector. ChipSoft serves roughly 70% of Dutch hospitals. Synnovis runs pathology services across multiple NHS trusts in south-east London. A single GP software vendor underpins thousands of UK practices. Compromise at any of these layers produces outages at a scale individual hospitals cannot absorb.

Time-critical services. Healthcare cannot easily shed load when systems fail. A retailer can take its website offline for forty-six days and lose £300m; an A&E department cannot take its imaging systems offline for an afternoon without changing clinical outcomes. The window between system failure and patient harm is much shorter, and the manual workarounds that work in other sectors do not always work here.

Trust-dependent data. The data healthcare handles — diagnoses, treatment plans, mental health records, sexual health records, child protection records — has a specific kind of weight. The reputational cost of exposure is high even when the operational cost is contained. Patients do not return to providers whose discretion has visibly failed.

These three properties combine to make healthcare the sector where the worst-case scenarios under any cyber threat actor's planning are also the highest-impact.

The Synnovis arithmetic

Synnovis is the case study that sets the reference point for everything else. The June 2024 ransomware attack on the pathology provider — a joint venture between SYNLAB and two NHS trusts — disrupted blood testing, pathology reporting, and transplant matching across multiple south-east London hospitals for weeks.

The direct cost has now been formally accounted at £32.7m. That number does not include the most significant cost. NHS England has attributed at least one patient death to the disruption — a person whose treatment depended on a pathology result that could not be produced in time. The clinical inquiry is continuing.

The arithmetic from Synnovis is what UK healthcare leadership is now having to internalise. The financial cost is recoverable in principle. The clinical cost is not.

What NHS Dumfries and Galloway adds

The Dumfries incident adds a different lesson. The financial impact, while real, is dwarfed by the disclosure impact. Three terabytes of patient data published online, including x-ray images and test results, is the kind of disclosure that does not heal. A patient whose mental health record was in that data set cannot have it un-published. The cost to that individual is permanent.

What this surfaces is the property of healthcare data that distinguishes it from financial data or even most personal identity data: it cannot be reissued, cannot be remediated, cannot be rotated. A compromised credit card can be replaced. A compromised diagnosis cannot.

What NHS Scotland adds

The Scotland incident adds the systemic lesson. A coordinated attack against multiple health boards produced cascading clinical-system outages that could not be contained at the level of any individual board. The mitigation strategy of isolate the affected entity worked when entities were independent. It does not work when entities share infrastructure, share suppliers, or share authentication providers.

The implication is that incident response in healthcare needs to be planned at a system level, not at a trust or health-board level. Few NHS regions have actually exercised an incident response of this shape. The Scotland incident is the most credible argument that they should.

For healthcare boards

Four questions worth putting on the next board agenda — and these are questions for trust boards, ICB boards, and the boards of the suppliers underneath.

Which of our critical clinical services would stop within four hours if any single supplier failed? Name the supplier and name the service. The four-hour figure is the rough threshold beyond which manual workarounds start to produce clinical risk. The firms that cannot name the dependency are the firms most exposed.

If a Synnovis-shaped event hit us next month, what would our regulatory and clinical-governance plan be in the first twenty-four hours? Not in the abstract; in the form of named individuals, named decisions, and named escalations. The Synnovis response showed which trusts had this plan and which were inventing it under pressure.

What is our minimum acceptable downtime for each critical system, and is that downtime achievable from our current backup posture in a ransomware scenario? The honest answer for many systems is no. The work is to either accept that answer or invest to change it.

Of our data, what is the volume of records whose disclosure would produce permanent, unrecoverable patient harm? Where is it stored, who can access it, and is it covered by encryption at rest with keys we control? This is the Dumfries question, and the volume of records implicated is usually higher than expected.

The closing observation

Healthcare boards have, broadly speaking, two options.

The first is to treat the 2025–2026 wave as an unfortunate sequence of events to be weathered, with marginal improvements to existing controls and a continued reliance on the same supplier topology.

The second is to treat it as the visible part of a structural exposure that will continue, predictably, until the supplier topology changes — until the concentration of critical clinical systems in a small number of vendors is treated as a sector-level risk to be reduced rather than an efficiency to be preserved.

The first option is the cheaper one in any given year. It is also the option under which the next patient death attributable to a cyber incident is a question of when, not if.

The second option requires a degree of strategic patience and cross-trust coordination that the sector has not historically demonstrated.

Whichever option boards choose, the choice should be made knowingly, in minutes, with the chair's name attached. Healthcare's reckoning is not abstract anymore. It is in the numbers.