The UK’s healthcare sector is being “stress-tested to breaking point,” with a tenfold increase in attacks during January-May 2026 compared to the whole of 2025, according to SonicWall.
The security vendor’s data comes from its intrusion prevention system (IPS) sensors dispersed across UK healthcare clients.
They recorded 264,000 individual events in the first five months of the year compared to just 27,000 for 2025.
That represents around 11,000 events per sensor in January-May 2026; more than any other vertical, according to the vendor.
Read more on UK healthcare threats: NHS Issues Open Letter Demanding Improved Cybersecurity Standards from Suppliers
The data revealed a mix of threats: some targeting legacy flaws while others looking to exploit more recent vulnerabilities.
Two-fifths (41%) of events detected by SonicWall were attempts to exploit Log4Shell, a vulnerability in a popular Java-based logging utility first discovered and patched in 2021.
However, the vendor also saw attempts to exploit a critical remote code execution vulnerability in the React.js JavaScript library (React2Shell) which is found in newly deployed patient portals.
A third (33%) of sensors recorded authentication bypass attacks on F5 BIG-IP load balancers, which have been a popular target over recent years as they are widely deployed across the health service.
Patching Problems and Zombie Tech
SonicWall explained that part of the problem for healthcare organizations is that Java-based clinical applications are deeply embedded in NHS workflows. This means that they can’t be patched or replaced on a standard enterprise cycle.
“The fact that [Log4j] remains the most active attack vector against UK healthcare environments in 2026 points to a straightforward problem: clinical Java middleware, patient-facing web applications, and legacy hospital IT systems have not been updated,” it said.
“In an environment where unplanned downtime can affect patient care, the calculus around patching is complicated, but the data makes clear that the cost of delay is measured in attack volume, not just theoretical risk.”
SonicWall claimed the tenfold uptick in attack volumes could be the result of newly exposed infrastructure now connected to the internet, or intensified targeting perhaps from Iran. The increase in attacks coincides with a global surge in ICS/OT attacks from early 2026, it said.
Spencer Starkey, EMEA executive vice president at SonicWall, warned of a “double-edged crisis” threatening the sector.
“Attackers are targeting our hospitals, and stress-testing them to breaking point. Zombie tech, ancient unpatched systems and legacy Java keep haunting the NHS because administrators can’t just take a critical care system offline to patch it,” he continued.
“Meanwhile, the rush to digitize has opened the door to brand-new web vulnerabilities in patient portals. Threat actors have clocked the gap between old and new, and they’re scanning for it relentlessly.”
The threat to healthcare systems in the UK recently prompted the National Cyber Security Centre (NCSC) to publish a new plan designed to build cyber resilience in the sector.
