NHS Cyber Attack – Legal Considerations


On Friday 12th May, a large-scale cyber attack hit thousands of computers around the globe, including NHS IT systems, causing havoc in health services across the UK. The attack used ransomware which encrypts a user's files and demands payment to restore access.

This cyber attack raises a range of questions for affected organisations, not just around the technical security of IT systems but the legal implications too.

Once systems stability has been restored, organisations affected will need to respond to the fallout and, even those not affected this time will want to take preventative action to protect their systems, customers and other stakeholders from the consequences of future attacks.

Managing the immediate legal issues

  • Breach Investigation and Reporting to the Information Commissioners Office (ICO) - Organisations will need to understand how to manage any data breaches and ensure they report to the ICO where appropriate. Reporting breaches early, and including detail around the measures and systems that are in place to avoid similar future breaches, should help organisations to mitigate or avoid regulatory enforcement action as far as possible. Some NHS Trusts may need help preparing a report.
  • Liabilities and claims - Organisations may need to take advice around any liability/claims arising from the cyber breach including potential claims against the organisation by service users, providers and third party contractors. This includes looking at the contractual position with external/outsourced IT/virus protection providers and providing notification to insurers (if there is cyber cover in place) in order that any losses can be recovered.  

Protecting against future attacks

  • Systems – organisations should look at undertaking a review of what can be done to minimise the risks in future including reviewing their system protection, back-up capabilities etc
  • Training – making sure staff have adequate training to respond effectively in the event of an attack, including crisis management training and even testing the level of preparedness through mock cyber-attack simulations. 

Bevan Brittan has multi-disciplinary teams who can help advise around the various IT, Information Law, Governance/Investigatory, Regulatory and Reputational Management aspects of a cyber attack. If you want to understand more, please contact Adam Kendall

Related Insights

Court of Protection Seminar SAVE THE DATE (Leeds)

by Simon Lindsay

The role of the 'IMCA' and the Local Authority

by Jane Bennett

What you need to know

Bevan Brittan advises clinicians in landmark end-of-life judgment

by Stuart Marchant

Mental Capacity Law and Policy

Patient Safety: Another step forward (Joint Committee reports on...

by Simon Lindsay

Case Summary: An NHS Trust and others (Respondents) v Y (by his...

by Stuart Marchant

Court of Protection case summary

High court decision means more inquests will return suicide...

by Clementine Robertshaw

Information sharing – Advice for practitioners providing safeguarding...

by Claire Bentley

State aid and services of general economic interest

by Edward Reynolds

Related Tags

Keep up to date With Bevan Brittan

What interests you?

About you?

You can view our privacy policy here