“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

Amyas Morse, head of the National Audit Office

On Friday 12 May 2017 a computer virus, known as WannaCry, which encrypts data on infected computers and demands a ransom payment to allow users access, was released worldwide. WannaCry was the largest cyber attack to affect the NHS in England, although individual trusts had been attacked before 12 May.

The National Audit Office investigation focused on the ransomware attack’s impact on the NHS and its patients; why some parts of the NHS were affected; and how the Department and NHS national bodies responded to the attack.

The key findings of the investigation are: