An infamous ransomware group has claimed to have compromised sensitive data from a children’s hospital in Liverpool, UK.
On November 28, INC Ransom posted on its data leak site that it has obtained large-scale data patient records, donor reports and procurement data for 2018-2024 from Alder Hey Children’s NHS Foundation Trust.
The Trust quickly acknowledged the claim and said in a November 28 statement: “We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust.”
Alder Hey staff members are working with the UK’s National Crime Agency (NCA) and other partners to verify the data and understand the impact of the alleged attack.
The organization said that its services are operating normally and patients should attend appointments as usual.
“We are taking this issue very seriously […] to secure our systems and take further steps in line with law enforcement advice as well as our statutory duties relating to patient data,” the Trust added.
This incident is not linked to the recent incident at Wirral University Teaching Hospitals, also around Liverpool.
Speaking to Infosecurity, Will Thomas, SANS Instructor and CTI researcher, said that while it is still unknown if the claim by INC Ransom is legitimate, a Citrix instance from Alder Hey NHS Foundation Trust’s IT systems has stopped responding.
He noted that the cyber defenders at Alder Hey have likely taken the Citrix instance down while they investigate.
He added that INC Ransom is known to use CitrixBleed (CVE-2023-4966), a critical software vulnerability found in 2023 in Citrix NetScaler ADC and NetScaler Gateway appliances. This vulnerability allows threat actors to bypass multifactor authentication (MFA) and hijack legitimate user sessions.
INC Ransom has targeted UK public organizations in the past.