Skip to main content

Report a cyber security incident

If your organisation is experiencing a cyber security incident affecting health or care services, systems, or data, you can notify the NHS National Cyber Security Operations Centre (CSOC) for support.

Page contents

Request immediate support for a cyber security issue - call 0300 303 5222 (monitored 24/7).

Report an urgent cyber security issue by logging a ServiceNow ticket and attaching all relevant details. 

If you have found a vulnerability in an NHS system, report it via our Vulnerability Disclosure Programme.

For general cyber operations queries email [email protected].

When to report an incident

You should report a cyber incident if it affects: 

  • health or care organisations, systems, services, or data within England
  • any organisation subject to the Data Security and Protection Toolkit (DSPT) or designated as an operator of essential services for health and care in England

Please specify whether your report is: 

  • for informational purposes only
  • a request for technical support 

How to report an incident

Urgent incidents and escalations

If you need to request immediate support for an incident, or to escalate a ServiceNow ticket that you have already submitted, call us on 0300 303 5222

Organisations are encouraged to log a ServiceNow ticket to report urgent cyber security issues and attach all relevant details to help CSOC triage quickly.  

If you do not have ServiceNow access or wish to escalate the urgency, call the urgent cyber security number on 0300 303 5222.

Both methods are monitored 24/7, every day of the year. 

Non-urgent incidents

For all non-urgent cyber incidents where you do not have access to ServiceNow:

Vulnerability disclosure 

If you have discovered a vulnerability in an NHS system, please report it via our Vulnerability Disclosure Programme

What to include in your report

To help CSOC respond effectively, please provide as much of the following as possible:
  • contact details - roles, responsibilities, and a single point of contact
  • organisation name - include your ODS code, if available
  • local incident references - send links to incidents in tools like Microsoft Defender
  • suppliers - details of any third-party involvement
  • investigation stage - progress of your internal investigation
  • incident classification - type of incident (such as phishing or ransomware)
  • impact - affected assets, clinical or organisational impact
  • attack identifiers - indicators of compromise, such as ransom notes 

Regulatory reporting obligations 

Reporting to NHS CSOC does not fulfil legal or regulatory requirements. 

Operators of essential services must report incidents under the Network and Information Systems Regulations. 

To report to DHSC, log into the DSPT and use the Report an Incident menu.

The DSPT reporting channel is not monitored 24/7.

For urgent support, use ServiceNow or call our emergency telephone number - 0300 303 5222

Last edited: 28 October 2025 10:49 am