According to an expert, the ‘gold mine’ of patient records is more valuable to hackers than credit card details
Sophie Fagone Buscimese Trainee Reporter
06:00, 27 Jan 2026
University Hospitals of Derby and Burton NHS Foundation Trust gave the risk of failing to protect the hospitals from cyber attacks a likelihood score of four out of five.(Image: Derby Telegraph)
The NHS trust that runs the Royal Derby Hospital has revealed it is at “extreme risk” of failing to protect its hospitals in the event of a cyber attack.
Board papers released by the University Hospitals of Derby and Burton NHS Foundation Trust revealed that a newly-appointed “extreme risk review group” has given the risk of failing to protect its hospitals from cyber attacks a likelihood score of four out of five.
The hospital has not experienced a cyber-security incident in the last ten years, but said it would continue to treat the protection of its data as a priority.
According to cyber security expert Rob White from Derby-based IT company Fortitude Nicsa Global, which looks after a number of large international companies, the reason hospitals are chosen for cyber attacks is because they can be a gold mine for hackers.
“Healthcare data is massively valuable, even more valuable than credit card data – especially on the criminal marketplace,” he said.
“That’s because it is long-term reusable information. Credit cards can be cancelled in minutes, but a patient’s medical history can’t.
“Out of one patient’s file, you get their date of birth, employment, insurance and benefits information, and information about their next of kin.
“It’s permanent data and not disposable, so hackers can sell this data for a lot of money on the black market.”
He added that hackers could also carry out attacks using ransomware, which corrupts the computer systems and lets them demand payment for the users to get access back, or phishing emails, which are fake emails with links that could cause data leaks when clicked.
According to Mr White, hackers want to cause as much disruption as possible in the event of a ransomware attack, which is why hospitals are a target for them.
Hospitals are high-pressure environments which have no downtime, unlike most corporate businesses.
“If anything goes down, there have to be contingency plans in place to go back to pen and paper,” he said.
“Systems ideally have to be shut down completely so the attacker can’t go anywhere else, which is where phone calls, in-person coordination and pen and paper come into place.
“The hospital can’t stop, it will continue to operate under this pressure, but I know NHS hospitals, especially Royal Derby Hospital, have very good plans in place.”
He also explained that in some cases, cyber attacks happen undetected, and the attacker has already gained access to data before the attack is noticed.
The trust has, however, said that cyber security was placed on the risk register, and will remain there, as part of a “responsible and transparent approach” to managing a risk which is recognised across the entire NHS.
A spokesperson said: “Like the rest of the NHS, we take cyber security extremely seriously and have robust safeguards in place to protect our digital systems, supported by regular staff training and independent testing.
“Our most recent cyber security exercise last year was highly successful, with the next one planned for next month, giving confidence that these measures are working well.
“While we are reassured by this, we are not complacent and continue to treat cyber security as an ongoing priority to ensure our systems remain safe.”
In the University Hospitals of Derby and Burton’s board papers, it was noted that the hospitals had been found to rely on manual system audits and processes to identify malicious intent, which they now intend to change.
“If things aren’t in place, there is no cyber plan, lives can be put at risk,” Mr White said.
“Attackers continue to advance more and more, new hacking systems are developed constantly and hospitals have to be prepared and look at new ways to make them less vulnerable.
“Essentially, they need to plan cyber attacks like they would plan for a power cut.
“The hospital’s IT security team leader, Sarah Gay, has won a prestigious award last year (the Women in Cyber Award from the NHS cyber associates network), and the team is very good on that and very much aware that people’s lives are on the line.
“Classing this as an extreme risk means they’re being realistic – it isn’t done to cause distress or to say they expect it but to identify it’s potentially an issue and to make an effort to put measures in place to resolve the incident if it happened.”
The trust has confirmed it meets the national requirements of the Data Security and Protection Toolkit and completes mandatory annual business continuity exercises, supported by a third party cyber security provider.
It now plans further and more regular exercises which will include ward and clinical staff.