A fake phishing email sent out to all staff at one of the largest trusts in the country fooled 400 NHS staff into replying with confidential information.

The Leeds Teaching Hospitals NHS Trust undertook a cyber-security review exercise that included a counterfeit phishing email being sent out to all 17,000 staff. Some 2.3% of staff were lured into giving confidential information.

Revealed in the trust’s latest board papers, the Mersey Internal Audit Agency (MIAA) have produced a draft report for Leeds Teaching’s Audit Committee.

The papers said that 400 staff had handed over details including passwords to network credentials.

“Early results suggest we have good firewall protection but, like other organisations, are prone to human frailties in responding to suspicious emails.”

Tony Cobain, assistant director for informatics and infrastructure at MIAA, “stressed that in a real cyber-attack a breach and penetration could be achieved by one person responding to such a ‘phishing’ email”, the papers said.

A spokesman for Leeds Teaching said that the report was commissioned as part “of our continuous cyber security monitoring and assurance process”.

He added that the four pieces of work MIAA covered were firewall testing, a phishing exercise, penetration testing and a review of the Trust’s cyber defence framework.

The board papers added that it had been difficult to get the phishing email through Leeds Teaching’s firewall.

Human error was also blamed, along with aging infrastructure, for the protracted IT pathology crash at Leeds Teaching in September last year in an independent review.

In February, a memo went round NHS staff to warn about the rise in spear phishing attacks on the NHS mail system, especially within GP practices.

The fraudulent emails use the name of real staff within the NHS and sometimes request the transfer of money to a UK bank account, the e-mail said.

In December 2016 an NHSmail account was hijacked and used to launch a phishing attack to extract sensitive details from other NHS staff, claiming to be from an “IT Support Team”.

The Leeds Teaching spokesman said that the final copy of the report would be confidential, and “for obvious reasons we would not be able to go into details about either findings or actions”.

The board papers pushed for more learning across NHS trusts.

“We also need to press the wider NHS to share learnings from other Trusts cyber attacks.”

In 2015 NHS Digital established CareCERT (the Care Computing Emergency Response Team) to help improve cyber resilience across both individual trusts and the national NHS IT infrastructure.

The growing threat of cyber-crime has also led to Sheffield Teaching Hospitals NHS Foundation Trust to overhaul its IT strategy in January.

Sheffield Teaching’s strategy said “the significance of cyber security in the modern world cannot be overestimated”.

The chaos caused when a hack happens was clearly demonstrated by the high profile cyber-attack at Northern Lincolnshire and Goole NHS Foundation Trust in October last year.

The ‘Globe2’ ransomware virus took down Northern Lincolnshire and Goole’s systems for four days, which led to the cancellations of 2,800 appointments and a police investigation.