NHS staff targeted by nearly 140,000 malicious emails last year

Cyber criminals bombarded NHS staff with a total of 137,476 malicious emails last year, according to official figures from NHS Digital, the national provider of information, data, and IT systems for the health service.  

The data, obtained under the Freedom of Information (FOI) Act by the Parliament Street think tank, revealed that doctors, nurses and admin staff reported 27,958 suspected phishing emails targeted the NHSmail email service, designed to lure the recipient into handing over confidential data. Additionally, health workers reported 109,491 suspected spam emails throughout the year. 

The data shows that January 2020 was the highest month for reported attacks, with 29,355 in total, made up on 4,895 phishing attempts and 24,460 spam reports. The next highest month was the peak of UK lockdown restrictions in response to the Covid-19 pandemic, with 28,855 malicious emails reported, made up of 5,749 phishing attacks, and 23,106 spam reports. 

The period from April to December saw a steady decline in the number of suspicious emails reported to NHS Digital, decreasing from 11,068 in April, down to a yearly-low of 4,382 in December.

Despite these lower figures, in June 2020 NHS Digital revealed that more than a hundred NHSmail mailboxes had been compromised, and were sending malicious emails to external recipients.

Chris Ross of International at Barracuda Networks said:

“These figures are a reminder that when it comes to stealing confidential data and wreaking havoc, cyber criminals still consider our health service to be fair game. Unfortunately, these scam emails are often incredibly realistic, lulling the victim into a false sense of security to hand over passwords, patient records, and sensitive information by impersonating legitimate brands and even fellow employees. 

“With the global pandemic putting a huge strain hardworking doctors, nurses, and clinical staff, it’s absolutely vital that email systems are properly protected from outsider threats, to block malicious emails before they reach the inbox. 

“It is equally important for Trusts to issue the necessary guidance about the risks associated with phishing attacks, so that staff are aware of the techniques associated used and can think twice before handing over important information to suspicious third parties.”