What Did They Cost? And What Should UK SMEs Learn From Them?
The NHS is one of the most attacked organisations in the UK. Which is not surprising when you combine:
- huge amounts of sensitive data
- ageing IT systems
- thousands of suppliers
- overworked staff
- complex networks
- life-critical operations
To cyber criminals, that is basically an all-you-can-eat buffet with MRI scanners.
The truth is that the NHS has suffered hundreds of cyber incidents over the years, ranging from phishing attacks and data breaches to full-scale ransomware attacks. But a handful of major incidents changed how the UK views cyber security entirely.
The biggest and most damaging include:
- the 2017 WannaCry ransomware attack
- the 2022 Advanced software supply-chain attack
- the 2024 Synnovis ransomware attack
These attacks caused:
- cancelled operations
- delayed cancer treatment
- disrupted blood transfusions
- data leaks
- months of operational chaos
- tens of millions of pounds in recovery costs
And the uncomfortable reality for SMEs is this:
Most of the weaknesses exploited in the NHS also exist inside ordinary UK businesses.
The 2017 WannaCry Attack
What Happened?
In May 2017, the global WannaCry ransomware attack hit organisations worldwide.
The NHS became one of the most famous victims.
More than 80 NHS trusts and thousands of devices were affected.
Systems suddenly locked up.
Staff lost access to records.
Appointments were cancelled.
Ambulances were diverted.
Some hospitals reverted to paper systems.
The attack spread extremely quickly because WannaCry behaved like a worm, automatically moving across vulnerable systems.
How Did Attackers Get In?
The attack exploited a known Microsoft Windows vulnerability called EternalBlue.
The frightening part?
Microsoft had already released a security patch before the attack happened.
Many NHS systems had simply not been updated.
Some hospitals were still running:
- Windows XP
- unsupported operating systems
- legacy medical devices
- outdated network infrastructure
The attackers did not need sophisticated espionage.
They largely exploited poor patching and unsupported systems.
That is one of the most important lessons SMEs still ignore.
What Did It Cost?
The UK government later estimated the total NHS impact at around £92 million.
That included:
- roughly £20m from disruption and lost activity
- around £72m restoring systems and data
Thousands of appointments and procedures were cancelled.
The true cost was probably higher because:
- staff productivity collapsed
- emergency processes slowed care
- hospitals had to operate manually
- reputational damage lasted years
How Long Did Recovery Take?
The initial crisis lasted days.
But the operational and infrastructure recovery lasted months.
Some NHS organisations spent years replacing legacy systems and rebuilding resilience afterwards.
The attack became a turning point for NHS cyber investment.
The 2022 NHS Advanced Supply Chain Attack
What Happened?
In 2022, cyber criminals targeted Advanced, a software supplier used widely across the NHS.
The attack disrupted:
- NHS 111 services
- patient records
- booking systems
- healthcare scheduling
This was a classic supply-chain attack.
Instead of attacking every hospital individually, attackers targeted a trusted supplier connected to many organisations.
How Did Attackers Get In?
Reports indicated attackers gained access using:
- stolen credentials
- weak authentication controls
- insufficient MFA protection
This attack highlighted a massive modern cyber problem:
Your business can be compromised through someone else.
SMEs often believe:
“We are too small to be attacked.”
But attackers increasingly target:
- suppliers
- accountants
- MSPs
- payroll firms
- cloud providers
- outsourced IT companies
Because one compromise can unlock dozens or hundreds of organisations.
How Long Did Recovery Take?
Some NHS disruption lasted for months.
Services gradually recovered, but backlog effects continued much longer.
Healthcare is unusually sensitive to downtime because delayed systems directly affect patient care.
A small business may lose sales during downtime.
A hospital may delay chemotherapy.
That changes the severity dramatically.
The 2024 Synnovis Ransomware Attack
What Happened?
In June 2024, pathology provider Synnovis suffered a major ransomware attack linked to the Qilin cybercriminal group.
The attack heavily disrupted pathology services across South-East London.
Affected organisations included:
- Guy’s and St Thomas’
- King’s College Hospital
- GP surgeries
- blood testing services
Over 10,000 appointments and procedures were disrupted.
Blood testing capacity collapsed.
Some operations were postponed.
Urgent care had to be prioritised.
The attack even contributed to patient harm according to later reporting.
How Did Attackers Get In?
Investigations suggested the attack may have involved weaknesses around remote access and authentication.
Reports indicated that stronger two-factor authentication might have prevented or reduced the attack.
Once attackers gained access, ransomware encrypted systems and disrupted pathology operations.
This is the modern ransomware playbook:
- gain access
- move laterally
- steal data
- encrypt systems
- threaten publication
- demand ransom
What Did It Cost?
Synnovis estimated direct losses of roughly £32.7 million.
That included:
- IT rebuild costs
- operational disruption
- staffing costs
- recovery expenses
- delayed activity
The wider NHS impact was likely much larger.
How Long Did Recovery Take?
This is the part SMEs rarely appreciate.
Recovery from ransomware is not:
“Turn systems back on Monday morning.”
The disruption lasted for months.
Reports suggested:
- major restoration took many months
- some systems were only fully restored by late autumn 2024
Some operational impacts continued even longer.
Rebuilding safely after ransomware is painfully slow because organisations must:
- rebuild infrastructure
- verify systems
- restore backups
- reissue credentials
- investigate breaches
- validate data integrity
- meet regulatory obligations
And all of that happens while operations are already damaged.
What UK SMEs Should Learn From NHS Cyber Attacks
Downtime Is Usually More Expensive Than The Ransom
Most SMEs think:
“We would never pay hackers.”
Then payroll fails for 8 days.
Or customer bookings disappear.
Or the warehouse stops shipping.
Or invoices vanish.
The real financial damage often comes from:
- downtime
- missed sales
- staff disruption
- recovery consultants
- legal costs
- insurance increases
- reputation damage
The NHS learned this brutally.
SMEs usually learn it when it is already too late.
Backups Alone Are Not Enough
Many businesses proudly announce:
“We have backups.”
But:
- are they offline?
- are they immutable?
- are they tested?
- how quickly can they restore?
- can attackers access them too?
Many ransomware gangs deliberately target backups first.
A backup that cannot restore quickly is basically digital theatre.
Humans adore pretending disaster recovery exists because someone bought a NAS drive in 2019.
Supply Chains Are A Major Weakness
The NHS attacks repeatedly showed suppliers can become entry points.
SMEs should review:
- IT providers
- cloud platforms
- remote access vendors
- payroll systems
- accountants
- CRM platforms
- outsourced developers
One weak supplier can compromise everybody connected to them.
MFA Should Be Mandatory
Multi-factor authentication would have reduced risk dramatically in many attacks.
SMEs still avoid MFA because:
“Staff find it annoying.”
Ransomware is generally more annoying.
Patch Management Is Not Optional
WannaCry largely succeeded because systems were not patched.
Many SMEs still:
- delay updates
- ignore firmware
- run unsupported systems
- keep old Windows machines alive forever
That creates easy entry points.
Incident Response Matters More Than Most Businesses Realise
When attacks happen, chaos destroys organisations.
The businesses that recover fastest usually already have:
- response plans
- offline contacts
- recovery playbooks
- tested backups
- cyber insurance
- external incident-response support
The NHS had entire emergency response structures and still struggled massively.
Most SMEs have none.
What Would Have Prevented Many Of These Attacks?
Strong Patch Management
The single biggest factor in WannaCry.
Keeping systems updated sounds boring because it is boring.
Cyber security is often about consistently doing boring things correctly.
Multi-Factor Authentication
One of the highest-value security controls available.
Particularly for:
- Microsoft 365
- VPN access
- remote desktop
- cloud platforms
- admin accounts
Network Segmentation
Many NHS attacks spread widely because systems were heavily interconnected.
SMEs should separate:
- finance systems
- backups
- production environments
- user devices
- admin systems
Otherwise attackers move freely once inside.
Zero Trust Access
Modern security assumes:
“No user or device is automatically trusted.”
That dramatically limits lateral movement.
Staff Awareness Training
Phishing still remains one of the most common entry points.
Training staff to:
- recognise suspicious emails
- report incidents quickly
- avoid credential theft
- identify fake login pages
still prevents huge numbers of attacks.
Tested Recovery Plans
Not theoretical recovery.
Tested recovery.
Businesses should know:
- how long recovery takes
- which systems recover first
- who makes decisions
- who contacts customers
- who contacts insurers
- who contacts regulators
Because during an actual ransomware attack, people panic very quickly.
And panic is not a cyber strategy. Humans keep trying it anyway.
Final Thoughts
NHS cyber attacks matter to SMEs because they demonstrate something critical:
Even massive organisations with dedicated IT teams, government support and national infrastructure can still be crippled by cyber attacks.
The gap between a hospital trust and a small business is often smaller than people imagine.
Most attacks still exploit:
- weak passwords
- missing MFA
- unpatched systems
- poor visibility
- supplier weaknesses
- inadequate backups
The NHS attacks exposed the real cost of cyber failure:
- financial loss
- operational paralysis
- reputational damage
- patient harm
- months of disruption
For SMEs, the lesson is simple:
Cyber security is no longer an “IT problem”.
It is business continuity.
It is operational survival.
And increasingly, it is the difference between recovery and collapse.
