This is how much the WannaCry ransomware attack cost the NHS

Department of Health puts a figure on the financial cost of the incident, which disrupted patient care across the NHS.
Written by Danny Palmer, Senior Writer

The WannaCry ransomware cyber attack cost the National Health Service almost £100m and led to the cancellation of 19,000 appointments, the Department of Health has revealed.

The NHS wasn't specifically targeted by the global ransomware attack, but a significant number of hospitals and GP surgeries fell victim to the outbreak which took advantage of a leaked NSA hacking tool to self spread itself across vulnerable Windows systems.

A patch to protect against the EternalBlue vulnerability was released prior to the WannaCry outbreak, but despite warnings, a number of NHS Trusts hadn't applied the update.

Because of this, one third of NHS hospital trusts and around eight percent of GP practices found their IT systems disrupted by WannaCry ransomware, which left PCs encrypted and unusable, causing significant disruption to patients and care.

Now, almost 18 months on from the incident, the Department of Health has attempted to calculate the financial cost of WannaCry and puts the total figure at £92m.

The estimate includes lost output of patient care caused by reduced access to information and systems required -- which lasted up to two weeks for some NHS Trusts -- and the cancellation of appointments during the attack cost £19m.

The way in which WannaCry hit systems also led to the NHS spending an additional £500,000 on IT and security consultants between 12 and 18 May to restore data and systems affected by the attack.

SEE: WannaCry ransomware crisis, one year on: Are we ready for the next global cyber attack?

However, the vast majority of the financial burden came in the months following the attack, with an estimated £72m spent across June and July 2017 in order to fix the damage and help ensure that systems were more secure in future.

The combined cost of lost output and IT costs come to an estimated £92m. The Department of Health says the figure is only an estimate because "accurately assessing the costs would require collecting data from all organisations which itself would impose a disproportionate financial burden on the system".

Following WannaCry, it was announced that hospitals are going to get more resources to help protect against future attacks and that the whole NHS is set to move to Windows 10 in an effort to bolster security.

However, a report by MPs released earlier this year warned that both the NHS and the government must do more to ensure that patients are protected from cyber attacks.

"The Department of Health and Social Care and its arm's-length bodies were unprepared for the relatively unsophisticated WannaCry attack," said the Public Accounts Committee, which added that the incident must act as "a wake-up call for the NHS".

The UK's National Cyber Security Agency, the US Department of Homeland Security and other government security agencies have blamed North Korea for the WannaCry attack.

The US Department of Justice has even charged a North Korean officer in connection with WannaCry and other cyber attacks -- although North Korea has dismissed the accusations as a smear campaign, claiming the named individual doesn't exist.


Editorial standards