A single cyber-attack has impacted three healthcare organizations, including a children’s hospital, located around Liverpool in the UK.
Alder Hey Children’s NHS Foundation Trust confirmed that cybercriminals gained unlawful access to data from Alder Hey Children’s Hospital, Liverpool Heart and Chest Hospital, and, to a lesser extent, Royal Liverpool University Hospital, according to an update published on December 4.
This follows a claim made on November 28 by the ransomware group INC Ransom that it obtained large-scale data from patient records, donor reports and procurement data for 2018-2024 from the Trust.
The Trust acknowledged the claim in a November 28 message and said it was investigating the incident with the UK’s National Crime Agency (NCA) and external partners.
The Trust has since confirmed the criminals gained access to the data through unauthorized access to a digital gateway service shared by Alder Hey and the Liverpool Heart and Chest Hospital.
“This has resulted in the attacker unlawfully getting access to systems containing data from Alder Hey Children’s NHS Foundation Trust, Liverpool Heart and Chest Hospital, and a small amount of data from Royal Liverpool University Hospital,” the Trust explained.
Imminent Data Leak
The Trust added that the investigators are still working on determining which data the attacker actually managed to compromise.
“The investigation into the data may take some time, and there is a possibility that the attacker may publish the data before our investigation is concluded,” the Trust warned.
Despite the incident, hospital services at the three locations continue to run normally and patients are advised to continue to attend appointments.
“As part of our response to this threat we have made progress in securing impacted systems and ensuring the attackers do not have continued access. This means that we are in a position to begin to reconnect our systems when it is safe to do so,” the message read.
“We are also following guidance from the Information Commissioner’s Office (ICO) and will ensure that anyone impacted by this data breach is contacted directly and supported.”
Speaking to Infosecurity, Will Thomas, SANS Instructor and CTI researcher, commented: "It is bad news that the scope of the INC Ransom attack on the NHS hospital is actually worse than originally thought, but calming to hear hospital services were unaffected. Due to the impacted IT system supporting multiple hospitals, the number of potentially impacted patients has grown exponentially."
"IT systems continue to be a single-point-of-failure for the NHS as we have seen with multiple ransomware attacks on the health service the last year or two, by other similar ransomware groups such as Qilin, ALPHV/BlackCat, and LockBit. The reference to a 'digital gateway service' appears to confirm the original hypothesis that the cybercriminals gained initial access via their Citrix infrastructure."
This incident is not linked to the recent incident at Wirral University Teaching Hospitals, also around Liverpool.
Photo credit: Jason Wells/Shutterstock