SonicWall recently released data indicating a significant increase in cyber attacks targeting the UK healthcare sector. Data from its Intrusion Prevention System (IPS), collected between January and May 2026, shows a reported tenfold increase in observed hacker targeting activity. This includes activity affecting medical institutions, including NHS-related networks, within a broader pattern of cyber threats affecting critical infrastructure.
According to the SonicWall Threat Research team, the UK healthcare sector recorded 264,000 IPS events from January to the end of May 2026, compared with a total of approximately 27,000 events reported for the full year 2025. This represents a higher volume of detected activity on a per-sensor basis, with an average of around 11,000 events per sensor. The data identifies healthcare as one of the more frequently targeted sectors in the UK during this period.
The findings suggest a pattern of automated exploitation activity that may precede larger-scale attacks, in line with broader trends affecting critical infrastructure and operational technology systems internationally.
Analysts interpreting the data describe the activity as consistent with systematic mapping of healthcare-related digital environments and supply chains, rather than immediate disruptive attacks.
Across the UK, ransomware incidents reportedly decreased by 87% in 2025, with some larger cybercriminal groups shifting toward fewer but more targeted operations. However, healthcare remained a continued focus within overall cyber activity trends.
The report also highlights ongoing challenges associated with legacy systems, sometimes referred to as “zombie tech,” including outdated infrastructure and older applications. Constraints around downtime in clinical environments can delay patching. At the same time, ongoing digitisation of patient services has introduced new web-based exposure points. The data suggests attackers are monitoring both legacy and modern systems for potential vulnerabilities.
