NHS Cyber Attack – Legal Considerations


Adam Kendall

Adam Kendall


On Friday 12th May, a large-scale cyber attack hit thousands of computers around the globe, including NHS IT systems, causing havoc in health services across the UK. The attack used ransomware which encrypts a user's files and demands payment to restore access.

This cyber attack raises a range of questions for affected organisations, not just around the technical security of IT systems but the legal implications too.

Once systems stability has been restored, organisations affected will need to respond to the fallout and, even those not affected this time will want to take preventative action to protect their systems, customers and other stakeholders from the consequences of future attacks.

Managing the immediate legal issues

  • Breach Investigation and Reporting to the Information Commissioners Office (ICO) - Organisations will need to understand how to manage any data breaches and ensure they report to the ICO where appropriate. Reporting breaches early, and including detail around the measures and systems that are in place to avoid similar future breaches, should help organisations to mitigate or avoid regulatory enforcement action as far as possible. Some NHS Trusts may need help preparing a report.
  • Liabilities and claims - Organisations may need to take advice around any liability/claims arising from the cyber breach including potential claims against the organisation by service users, providers and third party contractors. This includes looking at the contractual position with external/outsourced IT/virus protection providers and providing notification to insurers (if there is cyber cover in place) in order that any losses can be recovered.  

Protecting against future attacks

  • Systems – organisations should look at undertaking a review of what can be done to minimise the risks in future including reviewing their system protection, back-up capabilities etc
  • Training – making sure staff have adequate training to respond effectively in the event of an attack, including crisis management training and even testing the level of preparedness through mock cyber-attack simulations. 

Bevan Brittan has multi-disciplinary teams who can help advise around the various IT, Information Law, Governance/Investigatory, Regulatory and Reputational Management aspects of a cyber attack. If you want to understand more, please contact Adam Kendall

Related Insights

South West Medico-Legal Seminar

by Joanna Lloyd

Seminar: A Practical Approach to the General Data Protection...

by Jane Bennett

NHS Resolution Court of Appeal success in ‘bulk conversion’ cases

by Joanne Easterbrook

Health and Social Care Update - March 2018

by Claire Bentley

Policy and law relevant to those involved in health and social care work.

Public Procurement and GDPR in practice

by Susie Smith

Procurement Byte

Health and Social Care Update - February 2018

by Claire Bentley

Policy and law relevant to those involved in health and social care work.

Keep up to date With Bevan Brittan

What interests you?

About you?