Fraudsters steal £100m from NHS as scammers target hospitals

Fraudsters have stolen more than £100m from the NHS in the past five years, exploiting weaknesses in IT systems to commit crimes ranging from stealing credit card data to hacking supplier emails, The Independent can reveal.

Scams have cost the NHS the equivalent of funding more than 2,000 senior nurses’ salaries for a year or providing over 20,000 rounds of radiotherapy for cancer patients.

Experts warned that the “inexcusable” losses, revealed as part of an Independent investigation, were ones the already overstretched health service can “ill afford”, calling for the NHS to protect itself better against fraud.

In total, the cost of fraud to the NHS in England was £101m in the five years to 2023/24.

As for individual trusts within the NHS, freedom of information requests show that University Hospitals Bristol and Weston NHS Foundation Trust lost £30,615 in a 2020 bank mandate fraud. The trust declined to say more, but often in these cases criminals intercept emails and impersonate a supplier to trick staff into transferring money into fraudulent accounts, the funds from which are then moved out of the UK.

Meanwhile, Hampshire Hospitals NHS Foundation Trust lost over £10,000 in 2021/22 after its credit card details were stolen and used for online purchases.

The trust stated: “The details of a trust credit card were obtained by criminals and used to make inappropriate purchases online. This was investigated by the local counter-fraud specialist and police, but could not be pursued as the companies involved were based outside the UK.

“This was also reported to the bank, but the loss was identified too late to qualify for reimbursement. Two-factor authentication has since been enabled for some purchases, depending on the type of transaction, and monthly reconciliation checks are completed.”

While consumer rules put the onus on banks to reimburse individuals up to £85,000 for fraud, these regulations do not cover organisations such as NHS trusts, which are only able to recoup losses to fraud if the money is able to be recovered.

Theft across borders presents a formidable challenge, according to Richard De Vere, an independent security consultant. Once stolen funds are moved overseas, recovering them becomes a near-impossible task despite the willingness of some international law enforcement agencies to assist.

Efforts to tackle fraud, he explained, have largely been left to banks, with inconsistent outcomes. “Some victims get reimbursed, while others don’t,” he said. “Online crime is real crime, yet cybercrime seems to have been put on the back burner in recent years.”

Dr Tony O’Sullivan, co-chair of Keep Our NHS Public, warned that fraud crimes are a drain the NHS cannot afford. “The loss of revenue through fraud at the expense of hospitals and trusts is inexcusable,” he said. “The problem is exacerbated when there are insufficient safeguards and inadequate scrutiny of high-value private contracts.”

“Fraud is not a victimless crime,” Dr O’Sullivan stressed. “The NHS must be better protected.”

Some trusts have been more fortunate, though they have still suffered consequences. Medway NHS Foundation Trust reported that fraudsters stole £500,000, but the majority – £420,000 – was later recovered.

Others have been victims of more sophisticated hacks. NHS Cheshire and Merseyside Integrated Care Board was targeted twice. In September 2022, the board lost £9,835 after the email account of a supplier was compromised. This breach enabled criminals to reset the password of the board’s payment system and change the bank details for subsequent payments.

“The incident was referred to the NHS Counter Fraud Authority and Action Fraud (Police). No money was recovered, and the perpetrator(s) remain unknown,” the board said.

A second loss, amounting to £35,159, is still under investigation by the police, although the board declined to provide further details.

Meanwhile, James Paget University Hospitals NHS Foundation Trust was defrauded of £21,512.40. The trust received two invoices for the same payment, but with differing bank details. An official contacted the company they believed had sent the invoice and received a call back confirming the new details. However, the company they spoke to was not the legitimate one.

The trust said: “It came to light that the bank details on the copy invoices were incorrect and they have no record of anyone ringing us back. The emails were hacked and intercepted from an email address in the US. The bank were able to recover £19,000 from the fraudulent bank account. As far as we are aware, the perpetrators weren’t found.”

The £101m figure, released by health minister Karin Smyth in a written parliamentary answer, does not include sums that have subsequently been recovered.

A spokesperson for the NHS Counter Fraud Authority (NHSCFA) said: “Payment diversion fraud is a global problem to which the public sector is not immune. The NHSCFA has done a lot of work to raise awareness of it within the National Health Service.

“It is recognised as one of the most common types of fraud, where criminals attempt to hijack the identity of legitimate suppliers and divert payments made to them.

“In a national campaign in 2022/23, the NHSCFA and partners directly prevented £33m of attempted payment diversion fraud, with one successful prevention diverting a potential loss of £14m. This approach is ongoing as we continue to work in partnership across the health sector and the banking sector.”

They added: “The recent National Audit Office report into the impact of fraud and error on public funds estimates the overall cost to the taxpayer of between £55bn and £81bn in 2023/24. The NHS is no exception to this, and the £181.7bn of national annual expenditure is a target for those who are intent on committing fraud.

“The NHSCFA coordinates the collective response to fraud against the NHS by working with a wide range of partners across the sector to detect, prevent and recover moneys lost to fraud. There is a counter-fraud response in place within every NHS commissioner and provider in England, and in 2023/24 alone, this coordinated response prevented £184.6m from being lost due to attacks against NHS funds from fraudsters.”