The NHS is Under Attack by Anthropic and Microsoft (or Their Lemmings That Infect the NHS)

posted by Roy Schestowitz on May 02, 2026,
updated May 02, 2026

...and by Palantir*

Having just covered severe issues in cPanel (proprietary software is a security liability for more reasons that Free software can ever be, as patches are monopolised) and said we'd discuss security in relation to the NHS, let's begin by stating that Anthropic is a truly malicious, villainous, evil, malignant, unethical and immoral company (don't mind the Cheeto spin; Anthropic is pure evil, irrespective of politics). Its paid-for media hype campaigns have done considerable damage and this past January Andy explained why the company is in effect a collection or well-paid collective of "pirates" who physically destroy literature. That it paid a bunch of bribes to the Linux Foundation (along with Microsoft) to promote slop possibly helps explain why Linus Torvalds accepts a sabotage (by slop) of his "first child/son" (Git was the second; he has 3 daughters too). Linux, as a kernel controlled indirectly by Sheela and James Zemlin, is in truly malicious hands - some of them are frauds and people who really belong in prison!

But we digress.

Anthropic weaponises shills and media operatives to spread claims about bugs, to mindlessly sell fear. Then, it tries to sell a solution (to its own FUD). They try to sell offensive slop, then defensive slop. It's outrageous, but that's exactly what this company does without bothering to disclose actual details (it just dramatises it all by saying "too dangerous to release"... then it 'leaks'... and nothing happens).

So what's happening right now, based on pure hype rather than facts, is explained in this blog post from Terence Eden ("NHS Goes To War Against Open Source"). The above links to two other sites that in turn link to this original one and elaborate upon it. There are more official sources, too**.

To be clear, this isn't the first time slop sabotages things, especially Free software. To give two recent examples, slop bug reports result in code being removed (because it's considered "not worth the time" to check if those are false positives; it's faster and cheaper to just cull the code) and many sites put JavaScript barriers (or outright block many Web clients), as slop bots are considered a nuisance (either for copyright reasons or wasteful loads induced by them). The latter, in turn, becomes a severe accessibility problem.

The NHS has long had a Microsoft problem. It's even worse than it sounds. Many Brits are nowadays reluctant to tell GPs anything about themselves; some of the moral GPs are reluctant to enter anything into their computer systems, either because of security concerns (data breaches) or concerns about "legitimate actors" like companies run by neonazis and selling/exploiting the data for nefarious purposes in an increasingly hostile distant continent.

In truth, NHS knows that proprietary software has severe security issues; how many times did hospitals and NHS clinics encounter catastrophic attacks, data loss, operational failures (people literally died) due to Microsoft/Windows TCO?

They are kidding themselves if they seriously believe Web-facing source code repositories are the real threat to patients. █

____

* Some resources/references:

• Labour and Lib Dem MPs demand ‘shameful’ Palantir NHS contract be scrapped

• No Palantir in our NHS

• Palantir out of the NHS

• NHS Staff Told ‘Stop Criticising Palantir or Lose Your Job’

• Palantir Workers Are Finally Noticing The Skulls On Their Caps

** This is a more official source than what many link to:

• NHS England rushes to hide software over AI hacking fears

Lots of good possible quotes in the above link, including: "NHS England has issued new guidance to staff, which has been shared with New Scientist, that demands existing and future software be pulled from public view and kept behind closed doors. “All source code repositories must be private by default. Repositories must not be public unless there is an explicit and exceptional need, and public access has been formally approved,” says the new guidance. The deadline for making code private is 11 May."

This is the culprit: "NHS England’s guidance specifically points to Mythos as the cause for the new measures. “Public repositories materially increase the risk of unintended disclosure of source code, architectural decisions, configuration detail, and contextual information that may be exploited – particularly given rapid advancements in Al models capable of large-scale code ingestion, inference, and reasoning (e.g. developments such as the Mythos model),” it reads. “This red line establishes a default-closed posture for code while the organisation assesses the impact of these changes and ensures that any public publication of code is a deliberate, reviewed, and justified decision.”"

And one more (very important to quote) from the geek's site: "As I've written before, this is not the correct response to the purported threat by Mythos. Neither the AI Safety Institute nor the NCSC recommend this action. While there may be some increase in risk from AI security scanners, to shutter everything would be a gross overreaction. Nevertheless, that's what the NHS is preparing to do."

To summarise in a sentence or two what it is that Terrence actually points out regarding the attack, and why that it is a mistaken approach:

The majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning. They're mostly data sets, internal tools, guidance, research tools, front-end design and the like. There is nothing in them which could realistically lead to a security incident.

When I was working at NHSX during the pandemic, we were so confident of the safety and necessity of open source, we made sure the Covid Contact Tracing app was open sourced the minute it was available to the public. That was a nationally mandated app, installed on millions of phones, subject to intense scrutiny from hostile powers - and yet, despite publishing the code, architecture and documentation, the open source code caused zero security incidents.

Furthermore, this new guidance is in direct contradiction to the UK's Tech Code of Practice point 3 "Be open and use open source" which insists on code being open.

My wife and I worked on NHS systems for a number of years and a lot of the code we dealt with was Free software. The machines were not world-facing, however, so there was no risk to data even if an attacker was aware of some flaw in some software.

When managers are clueless about technology we get corporate media controlled by GAFAM giving the decision-makers bad advice. And they fall for it every time.