AI Security Wire

Published

- 5 min read

Incident Report: Adversarial Attack on AI Diagnostic System at NHS Trust

adversarial examples medical AI NHS healthcare imaging misclassification incident report
img of Incident Report: Adversarial Attack on AI Diagnostic System at NHS Trust

Incident Classification: Confirmed | Severity: Critical | Sector: Healthcare | Date Confirmed: May 2026

An NHS trust in the East of England has confirmed a security incident involving the deliberate manipulation of medical images processed by an AI-assisted radiology diagnostic system. The incident resulted in systematic misclassification of a subset of chest X-ray images over an approximately six-week period, with potential patient safety implications currently being assessed through a clinical review programme.

Patient safety note: The trust has confirmed that all cases flagged by the affected system were also reviewed by a radiologist. Clinical review is ongoing to determine whether any diagnostic decisions were adversely affected.

Incident Summary

FieldDetail
Incident typeAdversarial perturbation of medical images
Affected systemAI-assisted chest X-ray screening platform (vendor name withheld)
DurationApproximately 6 weeks
Images affectedEstimated 340–400 images
Detection methodStatistical anomaly detected in model confidence score distribution
Notified toICO, NHS England, MHRA

Timeline

Week −2: Attacker gains access to the PACS (Picture Archiving and Communication System) integration layer that feeds images to the AI screening platform. Initial access vector is under investigation but is believed to involve a compromised service account with access to the DICOM image transfer agent.

Week 0 — Day 1: First adversarially perturbed images begin entering the AI screening pipeline. Perturbations are imperceptible to the human eye and do not affect radiologist review of the underlying image.

Week 4: The AI vendor’s monitoring system flags an unusual distribution shift in the confidence scores output by the model for images from this trust. Scores that would normally cluster near 0.0 or 1.0 begin showing an unusual mid-range distribution.

Week 6 — Day 1: Vendor notifies the trust of the anomaly. Initial investigation reveals that affected images contain systematic pixel-level perturbations consistent with adversarial example generation techniques.

Week 6 — Day 3: The trust takes the AI screening system offline and notifies the ICO, NHS England, and the MHRA. Clinical review process initiated.

Technical Analysis

Attack Technique

The perturbations applied are consistent with a universal adversarial perturbation (UAP) attack. Unlike per-image adversarial examples that are generated individually, a UAP is a single perturbation pattern that transfers across many different inputs, causing systematic misclassification across an entire class of images when added to them.

The properties of the observed perturbation:

  • Imperceptible to humans — maximum pixel value change ≤ 4/255 (L∞ norm constraint)
  • Universal — same perturbation applied to all affected images (not per-image)
  • Targeted — designed to cause high-confidence negative predictions on images that would otherwise score as positive findings

The targeted direction — false negatives — suggests the attacker understood the clinical workflow: false positives trigger radiologist review, while false negatives cause cases to be deprioritised. However, because the trust’s protocol requires radiologist review of all cases, the clinical impact appears to have been limited.

Access Path

The attacker gained access to the DICOM integration layer — software that transfers images from the PACS to the AI platform’s input queue. This layer had:

  • A service account with read/write access to the image queue directory
  • No integrity verification of images in transit
  • No logging of image modification events

The perturbation was applied at the integration layer in the transfer process, meaning neither the PACS nor the AI platform’s own logs showed evidence of manipulation at the point of detection.

Root Cause Findings

  1. No image integrity verification — the AI platform accepted images without validating cryptographic integrity from the source PACS system.
  2. Overprivileged integration account — the service account used for image transfer had write access to a directory that should be write-only from the PACS and read-only for the AI platform.
  3. Absence of input distribution monitoring — while the AI vendor detected the anomaly via confidence score distributions (a reactive control), there was no proactive monitoring for pixel-level statistical anomalies in incoming images.
  4. Limited audit logging — the integration layer lacked granular audit logging, complicating forensic investigation of the access path.

Recommendations

For Healthcare AI Deployments

Image integrity verification: Implement cryptographic signing of medical images at the point of acquisition or PACS ingestion. Verify signatures before processing by any AI system.

Integration layer hardening:

  • Use separate credentials for write (PACS → queue) and read (AI platform ← queue) operations
  • Apply strict access controls to image staging directories
  • Enable file-level audit logging on image queues

AI input monitoring: Deploy statistical monitoring on AI system inputs to detect distribution shifts that may indicate adversarial manipulation. Key metrics:

  • Pixel value distribution per image batch
  • Frequency spectrum analysis (adversarial perturbations often show anomalous high-frequency components)
  • Model confidence score distribution over time

Adversarial robustness testing: Before deploying clinical AI systems, conduct adversarial robustness evaluations using standard attack frameworks (FGSM, PGD, universal perturbations). Certify that the deployed model meets a minimum robustness threshold.

For AI Vendors Serving Clinical Environments

  • Build input integrity verification into the platform (not an optional add-on)
  • Provide customers with real-time monitoring dashboards for model input statistics
  • Include adversarial perturbation detection in standard model health checks
  • Define and publish minimum security requirements for integration layer deployments

Regulatory Context

This incident is subject to investigation by the MHRA under the UK Medical Devices Regulations, as the AI system is classified as a Class IIa medical device. The ICO is also investigating the data aspects of the breach. NHS England’s AI Assurance Framework, published in 2025, includes requirements for adversarial robustness testing for AI systems used in clinical pathways — this incident will likely inform updated guidance.

The trust has stated it will publish a full incident report following the completion of its clinical review and regulatory investigations.