UK Healthcare Sector Faces Tenfold Surge in Cyber-Attacks
The UK's healthcare sector has experienced a dramatic tenfold increase in cyber-attacks during the first five months of 2026, with SonicWall reporting 264,000 security events.
The United Kingdom's healthcare sector is under unprecedented cyber pressure, facing a tenfold surge in attacks during the first five months of 2026 compared to the entirety of 2025. SonicWall's analysis, based on data from its intrusion prevention system (IPS) sensors deployed across UK healthcare clients, recorded a staggering 264,000 security events between January and May 2026. This figure dwarfs the 27,000 events logged for the whole of the previous year, translating to approximately 11,000 events per sensor in the initial five months of 2026, a rate higher than any other industry vertical.
The threat landscape is diverse, encompassing attempts to exploit both long-standing vulnerabilities and more recent weaknesses. Notably, two-fifths (41%) of the detected events targeted Log4Shell, a critical vulnerability in the Java logging utility first disclosed in 2021. This persistent exploitation highlights the ongoing challenges in patching deeply embedded legacy systems. Additionally, attackers are actively probing for weaknesses in newer technologies, with incidents targeting a critical remote code execution vulnerability in the React.js JavaScript library, found in modern patient portals.
Another significant vector identified is authentication bypass attacks against F5 BIG-IP load balancers, which were responsible for 33% of sensor-recorded events. These devices are widely deployed across the National Health Service (NHS), making them a prime target for threat actors seeking to gain initial access or disrupt services. The continued focus on these established vulnerabilities underscores a persistent struggle within the sector to maintain up-to-date security postures.
SonicWall attributes this alarming increase to several factors, including the exposure of newly connected infrastructure to the internet and potentially intensified targeting, with Iran cited as a possible source. The surge aligns with a broader global increase in attacks against Industrial Control Systems (ICS) and Operational Technology (OT) observed since early 2026. The vendor points to "zombie tech"—ancient, unpatched systems and legacy Java applications—as a persistent problem, particularly within the NHS where critical care systems cannot be easily taken offline for patching.
Spencer Starkey, EMEA Executive Vice President at SonicWall, described the situation as a "double-edged crisis." He emphasized that while the digitization push has introduced new vulnerabilities in patient-facing applications, the inability to update critical legacy systems leaves the sector exposed. Attackers are adept at exploiting this gap between old and new infrastructure, scanning relentlessly for exploitable weaknesses.
The escalating threat has not gone unnoticed by UK authorities. The National Cyber Security Centre (NCSC) has responded by publishing a new plan aimed at bolstering the cyber resilience of the healthcare sector. This initiative underscores the severity of the situation and the government's commitment to addressing the growing cybersecurity challenges faced by healthcare providers.
The data from SonicWall serves as a stark warning about the vulnerability of critical infrastructure. The healthcare sector's unique operational constraints, coupled with the evolving tactics of threat actors, create a complex and dangerous environment. The continued exploitation of both old and new vulnerabilities highlights the urgent need for comprehensive security strategies that address the entire technology stack, from legacy systems to modern web applications.