Summary
- Confirmed: WannaCry affected NHS services in England from 12 May to 19 May 2017. The National Audit Office reported that at least 80 of 236 trusts were infected or disrupted, 34 trusts were infected and locked out of devices, 46 trusts were not infected but reported disruption, and a further 603 primary care and other NHS organisations were infected, including 595 GP practices.
- Confirmed: NHS England identified 6,912 cancelled appointments during the incident response window and estimated more than 19,000 cancellations in total. Five accident and emergency departments diverted patients. NHS Digital told the NAO that no patient data was compromised or stolen, and the Department, NHS England, and the National Crime Agency told the NAO that no NHS organisation paid the ransom.
- Boundary: The public record supports a patching and assurance failure, but it does not support a simple claim that Windows XP alone caused the NHS outage. The NHS England lessons review said the attack exploited a Microsoft Windows vulnerability, that most infected NHS devices ran supported but unpatched Windows 7, and that unsupported XP devices were a minority of infected devices.
- Assessment: The accountable failure was not just technical debt. It was the combination of asset visibility, patch deployment, unsupported-device management, local trust autonomy, national bodies without a pre-incident compliance mechanism, untested local cyber response, and care-continuity processes that were forced into paper and manual coordination.
A patch can be issued without being governed
The shortest version of the NHS WannaCry story is that a Microsoft patch existed before the attack and too many NHS organisations had not applied it. That sentence is true, but it hides the accountability problem. A patch is a technical artefact. Patching is a governance system. It requires asset records, risk prioritisation, change windows, clinical-system testing, supplier coordination, local operational consent, proof of deployment, and a national view of exceptions. In May 2017 the NHS had guidance, warnings, and technical support, but it did not have enough assurance that the guidance had become protection.
Microsoft published Security Bulletin MS17-010 on 14 March 2017. The bulletin rated the issue critical and said the most severe vulnerabilities could allow remote code execution if an attacker sent crafted messages to a Microsoft Server Message Block 1.0 server. Microsoft later explained in its WannaCrypt customer guidance that the March update addressed the exploited vulnerability, that organisations with automatic updates enabled were protected against that vulnerability, and that Microsoft took the unusual step of making updates broadly available for older platforms such as Windows XP, Windows 8, and Windows Server 2003. Its security blog described WannaCrypt as a worm using vulnerabilities that had already been fixed, affecting computers that had not applied the patch. (Microsoft security blog)
NHS Digital's archived alert, CC-1411, framed the same risk in health-sector language. It identified the ransomware as using SMB vulnerabilities patched in MS17-010, warned that the vulnerabilities were likely to be used by future malware variants for self-propagation, and said patching affected versions should be prioritised. It also listed remediation steps such as blocking SMB-related ports, confirming port lockdown, updating vulnerable platforms, using vulnerability scanners, maintaining kill-switch-domain connectivity, quarantining infected devices, rebuilding infected machines to a patched standard, and not paying the ransom.
Those details matter because they show that the technical answer was not obscure by 12 May. The more difficult question is whether national and local controls had made the answer operationally unavoidable. The National Audit Office investigation reported that NHS Digital had issued critical alerts in March and April 2017 warning organisations to patch their systems to prevent WannaCry. It also reported that before the attack, the Department of Health had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance. NHS Digital had assessed 88 of 236 trusts on site, and none had passed its cyber-security assessment, but NHS Digital could not require a local body to take remedial action.
That is the accountability hinge. The centre could warn. Local organisations controlled many implementation choices. But the patients experienced the combined system, not the boundary between a central alert and a local patch window.
What the record establishes
WannaCry began affecting the NHS on Friday, 12 May 2017. The NAO reported that the global ransomware attack affected more than 200,000 computers in at least 100 countries, and that the NHS was not the specific target. At 4 pm that day, NHS England declared a major incident and implemented emergency arrangements to maintain health and patient care. A security researcher activated a kill switch that evening, stopping WannaCry from locking further devices in the same way. The attack affected NHS services during the week from 12 May to 19 May.
The scale in England was significant but not fully measurable. According to the NAO, at least 80 of 236 trusts across England were affected because they were either infected or turned off systems as a precaution. Of those, 34 were infected and locked out of devices, including 25 acute trusts. Another 46 reported disruption without being categorised as infected; some shut down email and other systems as a precaution and had to use pen and paper for activities normally performed electronically. NHS England and NHS Digital also identified 21 trusts whose systems attempted to contact the WannaCry domain but were not locked out, and a further 603 primary care and other organisations were infected, including 595 GP practices.
The public record is equally clear about what is unknown. The Department and NHS England did not know the full extent of disruption. They did not know how many NHS organisations could not access records because they shared systems or data with an infected trust. They did not know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that could not treat some patients. NHS England collected some cancellation information from 12 May to 18 May, but the NAO said the data did not cover all appointment types. The reported 6,912 identified cancellations and more than 19,000 estimated total cancellations are therefore not a complete patient-impact ledger.
The NHS England lessons learned review, led by the Chief Information Officer for Health and Social Care, preserved the same frame while adding operational texture. It said the NHS was not directly targeted, that there were no reports of patient harm or patient data being compromised or stolen, and that 1% of NHS activity was directly affected. It also stated that 80 of 236 hospital trusts were affected, 595 of 7,454 GP practices and eight other NHS and related organisations were infected, and the disruption made the health service's dependence on information technology clearer.
That last conclusion is the most important. A ransomware incident that did not steal patient data still damaged care continuity. In a digital hospital, availability is not a convenience layer. It is part of clinical throughput, communication, diagnostic access, appointment flow, and safe escalation.
Unsupported systems were part of the story, not the whole story
WannaCry is often retold as a Windows XP cautionary tale. Unsupported software mattered. It had been a known risk, and the Department and Cabinet Office had written to trusts in 2014 saying they needed robust plans to migrate away from old software such as Windows XP by April 2015. The National Data Guardian review, published in July 2016, proposed new data security standards and a method for testing compliance. The Care Quality Commission's Safe Data, Safe Care review, also published in July 2016, recommended urgent replacement of hardware and software that could no longer be supported, stronger audit and validation, and leadership ownership of data security.
But an unsupported-system slogan is too narrow. NHS England's lessons review said none of the 80 affected NHS organisations had applied the Microsoft update patch advised by NHS Digital's CareCERT bulletin on 25 April 2017. It also said WannaCry was an attack using a specific Microsoft Windows vulnerability, not an attack on unsupported software. The majority of infected NHS devices were running supported but unpatched Windows 7. Unsupported XP devices were in the minority of infected devices, and the number of XP devices had decreased from 18% to 1.8% by January 2018.
The distinction matters for responsibility. If the failure were only "old operating systems," then the answer would be replacement funding and supplier pressure. Those were real issues, especially where medical equipment or diagnostic devices depended on older software. But if supported Windows 7 machines remained unpatched after a critical alert, then the answer also includes patch governance, exception management, and proof of closure. A supported device can be unsafe when it is not patched. An unsupported device can be isolated or managed in a compensating-control model. The system needed to know which condition applied to each critical endpoint before a worm made the inventory visible.
The lessons review also noted that firewall and network controls could have reduced infection risk. It said that even where patching had not occurred, action to improve security of network firewalls facing the N3 network would have guarded organisations against infection. That is another reason not to treat patching as a single switch. Patching was necessary, but so were network segmentation, perimeter configuration, SMB exposure controls, and knowledge of which systems still needed legacy protocol support.
The NCSC WannaCry guidance, now marked as withdrawn because it is out of date, captured the emergency defensive logic at the time. It advised organisations to deploy MS17-010, disable SMBv1 if patching was not possible, block relevant ports where needed, isolate vulnerable legacy technology, update antivirus, and avoid blocking the kill-switch domains. In other words, the immediate response required a layered control set. Organisations that lacked clear asset lists, firewall ownership, local DNS options, supplier contacts, and tested rebuild procedures could not easily execute that layered response under emergency pressure.
Local autonomy made central assurance harder
The NHS is not one monolithic IT estate. Local trusts, GP practices, clinical commissioning groups, suppliers, commissioning support units, and other organisations operate within national frameworks but hold many local responsibilities. The NAO said local healthcare organisations were responsible for keeping information secure and for incident and emergency arrangements, including cyber attacks. National bodies oversaw and supported them, but did not always have authority to compel specific technical action.
This structure is not inherently wrong. Local clinical organisations understand their own care pathways, equipment, suppliers, and change risks. A patch can break an old diagnostic interface, a patient-administration integration, or a medical-device process. A central instruction that ignores these realities can produce unsafe change or local resistance. Yet local autonomy becomes dangerous when the centre cannot see which sites are exposed, which have accepted risk, which have compensating controls, and which are unable to act because a supplier, budget, or clinical dependency blocks remediation.
The NAO's point about the missing formal compliance mechanism is therefore not bureaucratic trivia. It explains why a warning did not become system-wide risk reduction. A national alert can say "patch now." It cannot by itself prove that every relevant endpoint has the patch, that unsupported devices are isolated, that SMB is blocked where it should be, that systems requiring exceptions are named, or that executives have accepted a residual patient-safety risk.
The Public Accounts Committee report made the same weakness political. It said there had been warnings in 2016 and further warnings in March and April 2017, but patching had taken place in only around two-thirds of trusts at the time of WannaCry, and none of 88 trusts had passed NHS Digital's assessments. It also reported that the Department and the NHS recognised that things needed to change and that the 2018 lessons review contained 22 recommendations, but that implementation plans and costs had not yet been agreed when the Committee reported.
That evidence supports a sober conclusion: responsibility was distributed, but the patient did not receive distributed care. If a local trust lacked the patch, if a GP practice could not access systems, or if an ambulance had to divert, the harm reached people through a single public service. Distributed governance needs stronger evidence loops precisely because the public service appears unified at the point of need.
A care-continuity incident, not just an IT incident
The visible harm of WannaCry was interruption. Some organisations were infected and locked out. Others shut down systems to reduce risk. Some used paper. Some could not receive test results or access shared records. Some patients had appointments or operations cancelled. Five areas diverted accident and emergency patients. The NAO was careful to say that not all categories were fully counted, and the NHS England review reported no known patient harm. Those boundaries should be respected. Absence of reported harm is not proof that every clinical risk was absent, but the public record does not support inventing a death toll or a hidden patient-data theft.
The more useful accountability lens is continuity capacity. Health services can survive short digital interruption only if degraded modes are ready. Paper fallback is not a plan by itself. It requires printable or recent patient lists, medication history access alternatives, safe handover routes, diagnostic-order workarounds, referral tracking, theatre scheduling, laboratory result communication, manual appointment rebooking, and reconciliation after systems return. Each fallback has a throughput and error profile. A clinic that can handle 20 manual exceptions may not handle hundreds. A hospital that can safely defer elective work for a day may struggle if diagnostic visibility is impaired across a region.
The NHS England lessons review recognised the difference between a cyber incident and a conventional major incident. It said NHS England used its Emergency Preparedness, Resilience and Response framework, which gave a robust structure, but the incident also taught lessons about how cyber differs from other major incidents. Cyber can make the communication tools themselves unreliable. It can affect multiple sites simultaneously. It can be unclear at first whether a site is infected, disconnected, or acting defensively. It can require technical containment actions that reduce service capacity. It can also spread through shared networks, so helping one organisation may depend on how another organisation behaves.
That is why accountability should not end at the device that missed a patch. The care system needed a tested way to answer basic continuity questions under cyber conditions. Which services must keep running even if email is offline? Which records are essential to emergency care? Which systems can be shut down locally without regional coordination? Which national body leads communications? Which suppliers must join the incident bridge? Which local executives can accept reduced clinical throughput, and on what evidence?
The NAO reported that the Department had developed a plan including national and local roles and responsibilities, but had not tested it at a local level. It also found that the NHS had not rehearsed for a national cyber attack, so it was not immediately clear who should lead the response and there were communication problems. That is not a minor process gap. In cyber continuity, rehearsals are how organisations discover whether contact lists work, whether paper forms exist, whether offline patient lists are recent enough, whether suppliers answer, and whether clinicians understand which systems are safe to reconnect.
Interdependency turned local protection into regional disruption
One of the hardest features of the incident is that some organisations were harmed by other organisations' defensive moves. A trust could avoid direct infection and still lose access to an ambulance handover process, a diagnostic image transfer, a chemotherapy ordering path, a blood-results flow, or a primary-care caseload because another provider, supplier, or network partner closed access to protect itself. That is rational local containment, but it creates regional service consequences.
NHS England's later business continuity management toolkit case study on WannaCry makes this practical. It describes County Durham and Darlington NHS Foundation Trust as not suffering a direct attack, while the ambulance service protected its network by closing access, disabling handover process screens and making a patient-transport booking portal unavailable. Tertiary centres closed access, which meant CT and MR scans could not be transferred electronically and chemotherapy orders could not be transferred through the usual route. The primary-care IT provider protected its network, after which automated blood-result transfer failed and some GPs could not access their caseloads.
The workarounds in that case study are useful because they are concrete rather than dramatic. Ambulance pre-alerts continued by landline and other radio communication. Patient transport bookings moved to telephone. Images were transferred onto DVD and sent by taxi. Chemotherapy orders reverted to paper and fax. Blood-result transfers moved to paper and slowed the process. Some GPs accessed caseloads through urgent treatment centres. The case study said business-continuity plans were updated afterward and concluded that NHS organisations need to understand their interdependencies and dovetail plans for shared services to minimise impact on the health economy.
This is exactly the kind of evidence that broad incident counts miss. A cyber incident can reduce care capacity without every affected organisation being infected. It can turn a secure decision by one party into an outage for another. It can require analog methods that are safe for low volume but fragile at scale. A DVD sent by taxi may save a diagnostic path for a small number of urgent scans; it is not a substitute for ordinary electronic imaging exchange across a busy region. A telephone booking route may keep patient transport moving; it cannot automatically preserve prioritisation, audit, or throughput if the call volume surges. Paper chemotherapy orders may keep treatment from stopping; they create transcription, confirmation, and reconciliation burdens that the digital process normally absorbs.
These examples also explain why supplier and partner continuity matters for smaller organisations. A GP practice, hospice, community provider, local clinic, or contracted service may not own the central system it depends on. It may depend on a commissioning support unit, a hosted clinical system, a pathology interface, a diagnostic partner, or a network route controlled by someone else. When that dependency is disconnected, the smaller organisation must still answer patients. It must know whether it can access records through an alternate site, whether paper results are clinically acceptable, whether referral updates are being queued, and who is responsible for telling patients that the digital path has failed.
For accountability purposes, interdependency changes the control test. It is not enough for each organisation to say that it has a business-continuity plan. The plans have to meet each other. If a tertiary centre's defensive shutdown blocks image transfer, the referring trust's plan must already know the alternate route. If a primary-care IT provider closes access, local practices need named options for urgent record access. If ambulance handover screens are unavailable, emergency departments and ambulance services need a shared fallback that has been rehearsed. The NHS case study is modest in scope, but it shows the system-level truth: cyber continuity is joint work, and an untested joint dependency can fail even when each participant is trying to be prudent.
The cost was wider than a ransom that was not paid
No NHS organisation paid the ransom, according to the Department, NHS England, and the National Crime Agency in the NAO report. That fact should prevent a common misreading: the loss was not the ransom demand. It was cancelled work, overtime, IT support, restoration, deferred care, supplier effort, and later remediation. The NAO said the Department did not know the cost of disruption to services at the time of its investigation. It identified cost categories such as cancelled appointments, additional local IT support, IT consultants, restoration of data and systems, and staff overtime during the weekend response.
The later Department of Health and Social Care update, Securing cyber resilience in health and care: October 2018 progress update, linked to the detailed September 2018 update PDF. That update is widely cited for the estimate that WannaCry cost the NHS £92 million, including direct response and IT recovery as well as lost output. That estimate should be used carefully. It is a public-sector cost estimate, not a full accounting of patient anxiety, family time, ambulance movement, local supplier burden, or every staff hour.
Academic work also shows why the impact is hard to price. A 2019 npj Digital Medicine retrospective impact analysis used Hospital Episode Statistics to examine cancellations, admissions, A&E attendances, mortality, and fiscal costs. It found no significant difference in total activity across all trusts during the WannaCry week compared with baseline, but directly infected hospitals had fewer emergency and elective admissions, and the study estimated £5.9 million in lost hospital activity at infected trusts. It also noted no increase in mortality, while warning that mortality is a crude measure of patient harm.
The difference between a £5.9 million infected-hospital activity estimate and a broader £92 million public-sector estimate is not necessarily a contradiction. They measure different things. One looks at activity at infected hospitals over a defined period using hospital data. The other includes wider response, recovery, and IT remediation. For accountability, the important point is not to pick the largest number and call it "the cost." It is to ask which costs were preventable by earlier patching, which were incurred by necessary containment, which were investments that should have happened before, and which fell on patients and staff without ever appearing in an IT budget.
Small and medium-sized providers sit inside that same question. The issue is continuity across the smaller organisations that connect to a national service: GP practices, hospices, community providers, contractors, device suppliers, local IT support partners, and social-care interfaces. The NAO counted primary care and other organisations among the infected entities and noted that other providers could be affected through shared systems or delayed information. A cyber incident in a large public institution therefore becomes a continuity shock for smaller organisations that have less redundancy and less political visibility.
Attribution does not answer the operating question
The United Kingdom later attributed WannaCry to North Korea. The Foreign Office statement on the North Korean actor behind WannaCry said the UK judged that North Korean actors known as the Lazarus Group were behind the campaign. That attribution matters for deterrence, sanctions, diplomacy, and national security. It does not absolve domestic operational control. The same public record says the NHS was not the specific target, that the worm spread through a known Windows vulnerability, and that local organisations could have taken relatively simple action to protect themselves.
Criminal responsibility and public-service responsibility are separate layers. The attacker controlled the malicious code and the decision to deploy it. Microsoft controlled the vulnerability disclosure and patch release for its products, and then the extraordinary decision to make patches available for unsupported platforms during the emergency. NHS Digital controlled alerts, guidance, hotline support, and sector-specific advice. NHS England controlled major incident coordination and care-continuity escalation. The Department of Health controlled policy oversight and funding priorities. Local trusts and practices controlled many device, network, supplier, and change-management decisions. Suppliers controlled some legacy devices, support terms, and compatibility constraints.
No single layer is the whole story. Treating the incident as only a hostile-state event makes it too remote from local management. Treating it as only local noncompliance ignores the fact that national bodies had seen warning signs and did not have enough enforcement or assurance power. Treating it as only a Microsoft issue ignores that the critical patch existed before the incident and that not applying patches is an operational choice. Treating it as only a supplier issue ignores that supported Windows systems were also unpatched. Accountability is the map of these controls, not a search for one actor who can carry all of them.
The most consequential control was evidence. Who knew the patch state? Who knew the exposed SMB state? Who knew which systems were unsupported? Who knew which medical devices could not be patched without supplier intervention? Who knew whether a local trust had tested its cyber emergency plan? Who knew how quickly GP practices could switch to safe manual operation? The public record shows that enough of those answers were either unavailable, incomplete, or not centrally actionable before the attack.
The post-incident programme confirms the diagnosis
The remedial record after WannaCry is useful because it shows what national leaders thought had failed. The NHS England lessons review recommended stronger leadership and board accountability, clearer roles, cyber-security standards, local resilience, better patching, unsupported-software replacement, improved response processes, and stronger national coordination. The Department's 2018 progress update described work on major incident response, cyber-security operations, data security standards, supplier expectations, and investment. The Data Security and Protection Toolkit, which replaced the previous Information Governance Toolkit from April 2018, became an online self-assessment mechanism for organisations with access to NHS patient data and systems to measure and publish performance against the National Data Guardian's ten data security standards.
That toolkit is not proof that the problem disappeared. Self-assessment has limits, and later cyber incidents in health systems show that ransomware and supplier outages remained serious risks. But it is evidence that the post-WannaCry system moved toward explicit assurance rather than informal guidance alone. It also shifted cyber out of the purely technical lane and into board-level accountability, incident reporting, and continuity.
The later government strategy, A cyber resilient health and adult social care system in England, extends that frame to 2030. It describes cyber security as a condition for protecting patient, service-user, and staff data and for recovering quickly when attacks occur. The strategy's existence reinforces the core lesson from 2017: in health care, cyber security is not a separate back-office discipline. It underwrites public trust and service continuity.
The National Cyber Security Centre's broader public role also grew during this period. Its 2017 annual review announcement described the new centre's first year and its mission to make the UK safer online. The WannaCry response made that mission concrete for hospitals and clinics. It showed that national cyber capability had to connect to sector-specific operations, not merely publish warnings for technical teams.
Five accountability tests
The enduring value of the NHS case is that it gives boards and public-sector leaders practical tests. These tests are not about blaming one administrator for one patch. They are about whether a public service can prove that known cyber risk has been converted into operational action.
1. Asset visibility: An organisation cannot patch what it cannot identify. It needs an inventory of servers, endpoints, medical devices, unsupported systems, operating-system versions, exposed services, suppliers, and clinical dependencies. The inventory must include systems that are inconvenient to own, such as old diagnostic workstations, shared file servers, and machines controlled partly by vendors.
2. Patch assurance: Issuing a warning is not enough. A critical alert should create tracked actions, deadlines, executive escalation, named exceptions, compensating controls, and evidence that the patch has been installed or the exposure has been otherwise controlled. Where local autonomy blocks central mandates, the centre needs at least reliable visibility and a route to escalate patient-safety risk.
3. Legacy containment: Unsupported or difficult-to-patch systems require segmentation, access restrictions, supplier plans, replacement funding, and clinical contingency. Leaving a system unsupported is sometimes a temporary clinical necessity, but it should not be an unmanaged fact discovered during a worm outbreak.
4. Cyber-specific continuity: Emergency planning must assume that normal communication and record systems may be unavailable. Manual fallback needs capacity planning, not just paper forms. It should specify which clinical services degrade first, how patients are diverted, how test results move, how appointments are rescheduled, and how offline work is reconciled safely.
5. Multi-level accountability: The centre, local bodies, suppliers, and national security agencies have different controls. A mature framework does not collapse those controls into one blame story. It defines who must act, who must verify, who must fund, who must communicate, and who must accept residual risk.
These tests are uncomfortable because they make cyber resilience measurable. They also protect staff from impossible expectations. During WannaCry, NHS staff worked overtime and improvised to keep services running. The lessons review publicly recognised those efforts. Heroic local response should not be used as evidence that preparation was adequate. It is often evidence that the formal system left too much work to people under pressure.
The liability boundary
The public sources support strong operational criticism. They do not support unsupported legal conclusions against a named trust, executive, supplier, or national body. The PAC, NAO, NHS England, DHSC, CQC, NCSC, Microsoft, and academic records establish warnings, missed assurance, unpatched systems, service disruption, and post-incident reforms. They do not prove negligence in every local organisation, quantify every loss, or show exactly which devices were responsible for each cancelled appointment.
That boundary matters because the accountability lesson is broader than litigation. If leaders reduce the case to a legal fight over whether one entity breached a duty, they miss the control design. The public-service question is whether the NHS could know, before a national cyber event, that each organisation had closed or consciously managed a known critical vulnerability. The 2017 answer was no. The care-continuity question is whether every affected organisation had rehearsed a cyber outage well enough to keep essential services moving at a known degraded capacity. The public record says those arrangements were not sufficiently tested.
WannaCry therefore remains a public accountability case because it connected a technical maintenance backlog to patient-facing resilience. The risk had names: MS17-010, SMBv1, unsupported operating systems, untested incident plans, local bodies without central compliance assurance, shared networks, and clinical systems that could not be casually switched off. But the harm had different names: cancelled appointments, diverted patients, unavailable records, delayed information, staff overtime, and a £92 million remediation and disruption estimate.
The most responsible way to remember the incident is not as a morality tale about old software. It is a warning that public institutions can know enough to be worried and still not know enough to be ready. A patch can exist. An alert can be sent. A board can receive cyber training. A plan can be written. If the organisation cannot prove that the vulnerable systems are patched, isolated, replaced, or safely worked around, then the risk is still being carried by patients, staff, and smaller providers who only discover the dependency when the service stops.

