Why GP Surgeries Are One of Cyber Criminals' Most Targeted Organisations

In August 2022, a ransomware attack on Advanced — a major supplier of clinical software to NHS organisations — took the Adastra system offline, affecting 111 call handling and out-of-hours GP services across the UK. In 2023, attacks on NHS Shared Business Services and multiple GP practice IT providers disrupted patient care across thousands of practices. These incidents illustrate a risk that many individual GP practices have not fully internalised: their operational dependency on digital systems makes them high-value ransomware targets, and the consequences of a successful attack are measured in patient safety, not just IT disruption.

A GP surgery with a single location and a patient list of 5,000 to 12,000 people is a small organisation in every sense. It is also an organisation that holds Special Category health data on every registered patient, maintains NHS credentials that provide access to national systems, runs clinical infrastructure whose availability directly affects patient safety, and is connected to a national digital health network whose security posture is only as strong as its weakest node.

The Patient Data Calculus

Patient health records held by a GP surgery are among the most sensitive categories of personal data that exist. They contain the complete medical history of the individual, including diagnoses, medications, mental health history, sexual health information, genetic data, and safeguarding records for children and vulnerable adults. This data is Special Category under UK GDPR, and its breach carries the most serious regulatory consequences available under the data protection framework.

On the criminal market, medical records are valued at significantly more per record than payment card data or standard personal information. A complete medical record provides the raw material for identity fraud, insurance fraud, targeted blackmail, and — in particularly sensitive cases — the leverage to compel an individual to act against their interests. Criminal groups that target healthcare organisations do so in part because the data they obtain has higher intrinsic value than most other targets of comparable size.

NHS System Credentials: The Network Effect

GP surgeries are connected to national NHS systems — N3/HSCN network, Spine, NHS Mail, SystmOne/EMIS/Vision, and an array of clinical applications — through credentials and access rights that give them a unique position in the NHS digital infrastructure. A compromised GP practice credential is not just a compromised GP practice: it is a potential entry point into NHS national systems, neighbouring practices using shared infrastructure, and clinical networks whose security depends on every connected node.

This network effect is precisely what makes GP practices interesting to sophisticated attackers. Compromising a practice that has legitimate access to NHS Spine or shared clinical systems provides capabilities that targeting a non-NHS organisation of the same size would not.

Clinical Operational Dependency

A GP surgery whose clinical system is encrypted by ransomware faces an immediate patient safety problem, not just an IT problem. Without access to the patient record system, clinicians cannot safely prescribe — what other medications does this patient take? what allergies are recorded? is this the correct patient identifier? They cannot safely manage chronic disease reviews, cancer surveillance, safeguarding flags, or medication review alerts. They cannot access the recall lists that drive preventive care.

Practices that have experienced ransomware attacks have in some cases been unable to operate safely for days to weeks while systems are recovered. During this period, patient care is necessarily disrupted — appointments cancelled, prescriptions delayed, clinical continuity broken. This operational dependency is the mechanism by which ransomware operators extract payment from healthcare targets: the ransom is cheaper than the clinical and regulatory cost of extended downtime.

The NHS Mail Attack Surface

NHS Mail — the @nhs.net email service — is used by GP practices for clinical communications including referrals, discharge summaries, safeguarding correspondence, and notifications from secondary care. It is also a target for phishing and credential harvesting. Phishing emails impersonating NHS England, NHSD, the ICB, or clinical commissioning bodies have been used to harvest NHS Mail credentials, with compromised accounts then used to access patient correspondence, send fraudulent communications under the practice's identity, or pivot to other NHS systems.

NHS Mail credentials should be treated with the same security as any other privileged account: unique passwords managed in a password manager, MFA where available, and monitoring of sign-in activity for unusual patterns.

Prescription System Risks

Electronic Prescription Service credentials — used to generate and transmit prescriptions to the NHS spine — are targets for criminal groups seeking to generate fraudulent prescriptions for controlled medications. A compromised prescribing system used to generate fraudulent prescriptions creates both a public safety risk and a Controlled Drugs Accountable Officer notification requirement. The consequences for the clinical leadership of the practice — and potentially for CQC registration — are serious.