A report released by the NAO on Friday found that hospital trusts were left vulnerable to the attack because basic recommendations on cyber-security were not followed.
Between 15 May and mid-September NHS Digital and NHS England identified a further 92 organisations, including 21 trusts, as contacting the WannaCry domain, though some of these may have been contacting the domain as part of their cyber security activity.
Prior to the attack, the Department of Health didn't have any formal mechanism for checking whether local NHS organisations were following their advice on cybersecurity issues. Despite this, the older Microsoft operating system remained common within the NHS.
The malware is believed to have infected machines at 81 health trusts across England - a third of the 236 total, plus computers at nearly 600 GP surgeries, the NAO found. None paid the ransom.
"Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum".
WannaCry hit 34 per cent of health trusts in England, although the full extent of the disruption and financial impact is unknown.
The NAO says the DH was warned about the risks of cyber attacks on the NHS a year before WannaCry, "and although it had work underway it did not formally respond with a written report until July 2017". As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.
Kerala Love Jihad Case
A new video of Hadiya, the 24 year old girl who converted to Islam following her marriage to a Muslim man has been released. The apex court had earlier this year questioned how a High Court can annul the marriage between two consenting adults.
"The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients", said Sir Amyas Morse, head of the NAO.
The NHS says it will learn from the incident and is taking action to ensure a more effective response can be taken in the event of a similar attack in future.
The head of the National Audit Office warned the health service and Department of Health to "get their act together" in the wake of the WannaCry crisis, or risk suffering a more sophisticated and damaging future attack.
NHS Digital told the NAO that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple steps to protect themselves against the virus.
He said: "Other countries do have doctrines and military thinking along that line, but the West - the United States, Europe and the United Kingdom - are much more thoughtful about these things because, ultimately, if we were to take some action, we have to remember that some of these states may, as we have seen with this WannaCry, strike out at the rest of our functions". Britain today blamed North Korea for a ransomware attack this year that a new report revealed affected a third of English hospitals and could have been prevented with "basic" IT security.
NHS England initially focused on maintaining emergency care. However, the IT department had no powers to make them take action.
"We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations".