More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack last May.
Nearly 20,000 hospital appointments were cancelled because the NHS failed to provide basic security against cyber attackers.
NHS officials said 47 trusts had been affected – but the National Audit Office (NAO) found that the impact was far greater, and in fact 81 were hit by the attack.
When the attack came on May 12 it ripped through the out-of-date defences used by the NHS.
The virus spread via email, locking staff out of their computers and demanding £230 to release the files on each employee account.
Hospital staff reported seeing computers go down ‘one by one’ as the attack took hold. Doctors and nurses were locked out, meaning they had to rely on pen and paper, and crucial equipment such as MRI machines were also disabled by the attack.
The report reveals nearly 19,500 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals had to divert ambulances away at the peak of the crisis.
Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7 – that had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims.
NAO said the cyber-attack could have easily been prevented. Officials were warned repeatedly about the WannaCry virus before the attack, with ‘critical alerts’ sent out in March and April.
Foreign Office minister Lord Ahmad confirmed the attack was carried out by the notorious North Korean cyber espionage group Lazarus.
Computer systems in 150 countries were caught up in the attack, which saw screens freeze with a warning they would not be unlocked unless a ransom was paid.
The Department of Health said that from next January hospitals will be subject to unannounced inspections of IT security.