Hackers have stolen login credentials from thousands of people working with the U.K.’s National Health Service, putting the organization at risk of further cyberattacks, according to researchers.
The data theft is linked to a kind of malicious software known as an infostealer, which infects targeted computers and covertly gathers login credentials that hackers can then use to gain access to an organization’s internal systems.
About 2,000 computers used by people working with the National Health Service, or NHS, which runs hospitals and clinics across the country, have been compromised by infostealers, according to an analysis by the Tel Aviv-based cybersecurity firm Hudson Rock.
A spokesperson for NHS England didn’t directly address Hudson Rock’s allegations. However, the spokesperson said the agency has worked closely with cybersecurity partners, including the National Cyber Security Centre, to manage risks and provide “24/7” cyber monitoring and incident response across the national health service. That includes using a “high-severity alert system” that enables trusts to prioritize the most critical vulnerabilities and remediate them as soon as possible, the spokesperson said.
The NHS also used multifactor authentication as an additional security measure to prevent cyber criminals from accessing staff accounts, the spokesperson said.
Many of the stolen credentials are for accounts that have been registered with an NHS.net email address, meaning they belong to an NHS employee or affiliate, such as a pharmacist or an IT consultant, according to Hudson Rock. The credentials were stolen between 2020 and 2025 and include passwords for internal NHS email systems and for other platforms such as Zoom, Zendesk, Salesforce and NHS.uk., according to the analysis.
Crucially, the infostealers don’t just harvest passwords — they often collect session cookies from the computers they infect, which can enable hackers to spoof legitimate logins and bypass multifactor authentication.
“These credentials could potentially enable unauthorized access to critical infrastructure,” according to Alon Gal, Hudson Rock’s co-founder and chief technology officer.
Around 200 of the employees have had their computers compromised by infostealers so far in 2025, Gal said in a message to Bloomberg News. Hudson Rock purchased the stolen data from cyber criminals and used it for its analysis. It’s not uncommon for cybersecurity researchers to analyze data stolen by hackers.
The stolen data came directly from computers infected by infostealers, and other evidence supported its veracity, including user’s browsing history and autofill information, Gal said, adding that the credentials also correlated with real people employed at NHS and other companies through LinkedIn and elsewhere.
It isn’t known if the stolen credentials have been used for more intrusive attacks at NHS.
Saif Abed, a cybersecurity expert and former NHS doctor, said he had reviewed Hudson Rock’s data and was alarmed by what he’d seen. The stolen credentials included logins for electronic health record suppliers and credentials for administrator accounts, which could potentially be abused to access sensitive internal systems, he said.
The NHS and its supply chain, Abed said, was “compromised at levels that are a threat to patient safety.” He called for a national investigation into the health service’s cybersecurity.
The NHS has been the victim of several highly disruptive cyberattacks in recent years. In 2022, a hack on a NHS contractor disrupted doctors’ access to patient records and caused widespread disruption. An attack on another contractor last year resulted in thousands of canceled appointments at hospitals in London, causing the death of one patient and serious harm to others, Bloomberg previously reported.
The concern is that the scourge of infostealers could lead to yet another NHS breach. Similar types of attacks have caused damage to the health sector in other countries. A crippling ransomware attack on the UnitedHealth Group Inc. subsidiary Change Healthcare last year, for instance, disrupted payment systems used by thousands of hospitals, insurers and pharmacies.
According to the Change Healthcare, the breach occurred after hackers obtained a compromised credential from one of its employees. Hudson Rock linked that credential theft to an infostealer breach just days prior to the attack.
Top photo: National Health Service branding on laboratory coats at Guy’s and St Thomas’s Hospital is London, on Thursday, May 25, 2023. Photographer: Jose Sarmento Matos/Bloomberg.
Copyright 2025 Bloomberg.
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.