A recent investigation reveals that the National Health Service (NHS) in England has been defrauded of £101 million over the past five years, primarily through exploitation of IT system vulnerabilities. This significant loss, equivalent to the cost of thousands of nurse salaries or vital cancer treatments, has prompted calls for stronger security measures within the health service.

These fraudulent activities range from credit card theft and email hacking to sophisticated payment diversion scams, with criminals frequently intercepting supplier communications to redirect funds to unauthorized accounts. Such losses are particularly damaging to an already strained health service, according to experts.

The investigation uncovered specific cases, including a £30,615 bank mandate fraud at University Hospitals Bristol and Weston NHS Foundation Trust. Similarly, Hampshire Hospitals NHS Foundation Trust experienced a loss exceeding £10,000 due to credit card details being stolen. While banks often reimburse individual fraud victims, the same protections do not extend to NHS trusts.

Security experts emphasize the difficulty in recovering stolen funds once they are moved overseas, as is typical in these cybercrimes. The effectiveness of fraud prevention measures is often inconsistent, with banks frequently handling the fallout.

Various trusts have faced unique fraudulent attacks, with some instances proving particularly hard to resolve, such as the £9,835 loss by NHS Cheshire and Merseyside Integrated Care Board, resulting from compromised supplier emails. Other trusts have faced similarly complex hacks, including a £21,512.40 fraud at James Paget University Hospitals NHS Foundation Trust where criminals used fake email addresses and invoices.

Although some funds have been recovered, the significant losses highlight the need for enhanced protective measures. The NHS Counter Fraud Authority (NHSCFA) has stated that they are actively working to raise awareness and prevent payment diversion fraud.

The NHSCFA reports their efforts led to the prevention of £33 million in attempted payment diversion fraud in 2022/23, with one prevention effort alone averting a £14 million loss. In addition, an estimated £184.6 million was protected due to the NHS fraud response in the past year.

While fraud against the NHS remains a persistent threat, the ongoing collaboration between the health sector and banking institutions aims to mitigate risks and safeguard public funds. The situation underscores the ongoing need for proactive and robust fraud prevention measures across the NHS.