CybersecurityHealthNewswireTechnology

UK Healthcare Cyber-Attacks Surge Tenfold

Originally published on: July 1, 2026
▼ Summary

– SonicWall data shows a tenfold increase in attacks on UK healthcare in Jan-May 2026, with 264,000 events compared to 27,000 in all of 2025.
– 41% of detected attacks exploited the Log4Shell vulnerability from 2021, while others targeted newer flaws like React2Shell in patient portals.
– One-third of sensors recorded authentication bypass attacks on F5 BIG-IP load balancers, a common target in healthcare.
– Patching is difficult because Java-based clinical apps are deeply embedded in NHS workflows and cannot be updated on a standard cycle.
– SonicWall suggests the attack surge may stem from newly exposed internet-connected infrastructure or intensified targeting, possibly from Iran.

The UK’s healthcare sector is under unprecedented cyber siege, with attacks surging tenfold in the first five months of 2026 compared to the entire previous year. Security vendor SonicWall reports that its intrusion prevention system (IPS) sensors, deployed across UK healthcare clients, detected 264,000 individual events between January and May 2026. That figure dwarfs the 27,000 events recorded for all of 2025, representing roughly 11,000 events per sensor during that period, the highest volume of any industry vertical.

The data reveals a dangerous mix of legacy vulnerabilities and newly discovered flaws under simultaneous assault. Two-fifths (41%) of all detected events targeted Log4Shell, a critical vulnerability in the Java-based logging utility first patched in 2021 but still actively exploited. However, attackers are also probing modern systems: SonicWall observed attempts to exploit React2Shell, a remote code execution flaw in the React.js JavaScript library found in recently deployed patient portals. Additionally, a third (33%) of sensors recorded authentication bypass attacks on F5 BIG-IP load balancers, devices widely used across the NHS and a persistent target for years.

The core problem, according to SonicWall, lies in the deep integration of Java-based clinical applications within NHS workflows. These systems cannot be patched or replaced on a standard enterprise schedule without risking patient care. “The fact that [Log4j] remains the most active attack vector against UK healthcare environments in 2026 points to a straightforward problem: clinical Java middleware, patient-facing web applications, and legacy hospital IT systems have not been updated,” the vendor stated. “In an environment where unplanned downtime can affect patient care, the calculus around patching is complicated, but the data makes clear that the cost of delay is measured in attack volume, not just theoretical risk.”

SonicWall attributes the tenfold increase to two possible factors: newly exposed infrastructure now connected to the internet, or intensified targeting, potentially from Iran. This surge coincides with a global rise in ICS/OT attacks observed since early 2026. Spencer Starkey, EMEA executive vice president at SonicWall, described a “double-edged crisis” threatening the sector. “Attackers are targeting our hospitals, and stress-testing them to breaking point. Zombie tech, ancient unpatched systems and legacy Java keep haunting the NHS because administrators can’t just take a critical care system offline to patch it,” he warned. “Meanwhile, the rush to digitize has opened the door to brand-new web vulnerabilities in patient portals. Threat actors have clocked the gap between old and new, and they’re scanning for it relentlessly.”

In response to the escalating threat, the National Cyber Security Centre (NCSC) recently published a new plan aimed at building cyber resilience across the UK’s healthcare sector.

(Source: Infosecurity Magazine)

Topics

uk healthcare cyberattacks 95% nhs cybersecurity 92% legacy system vulnerabilities 90% log4shell exploitation 88% patching challenges 85% attack volume increase 83% react2shell vulnerability 82% digitalization risks 81% f5 big-ip attacks 80% threat actor targeting 79%