Ransomware Groups Attack Multiple UK NHS Trusts
Ransomware groups continue to attack the healthcare sector and have claimed multiple victims in the UK in the past few days. First came an attack on Wirral University Teaching Hospitals (WUTH) NHS Foundation Trust, closely followed by an attack on Liverpool Heart and Chest Hospital Foundation Trust and Alder Hey Children’s NHS Foundation. The latter is one of the biggest and busiest children’s hospitals in Europe. The attacks were conducted by different ransomware groups around the same time, at NHS Trusts less than a dozen miles apart.
Wirral University Teaching Hospitals (WUTH) NHS Foundation Trust Falls Victim to Ransomware Attack
WUTH is responsible for three hospitals in the Wirral Peninsula – Arrow Park Hospital, Clatterbridge Hospital, and Wirral Women & Children’s Hospital – plus a couple of community health facilities. On November 25, a WUTH spokesperson confirmed a major incident had been declared due to the ransomware attack, business continuity processes had been implemented, and steps had to be taken to ensure patient safety.
Local media reported that all electronic systems were offline, and all processes had to be completed manually. WUTH said scheduled appointments had been canceled and would be rearranged, and the public was urged only to visit its Emergency Departments for genuine emergencies. WUTH issued an update on November 28, 2024, confirming the staff is working with pen and paper due to the lack of access to electronic systems and work was ongoing to address the incident. Disruption was expected to continue over the weekend. The Register reports that the RansomHub ransomware group was behind the attack, although there is currently no listing on the RansomHub data leak site at the time of writing.
INC Ransom Group Threatens to Publish Data from Alder Hey Children’s and Liverpool Heart and Chest Hospital
Three days after the ransomware attack on WUTH, a second NHS Trust just a few miles away confirmed that it had learned that there had been a major data breach and data had been published online. “We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust,” explained Alder Hey Children’s in a November 28 website notice. “We are working with partners to verify the data that has been published and to understand the potential impact.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Alder Hey Children’s said the incident was not linked to the ongoing incident at WUTH and confirmed that its services were operating as normal, and appointments had not been cancelled. The INC Ransom group claimed responsibility for the attack and published several screenshots of the stolen data on its leak site. The screenshots show patient names, medical reports, donor information, and financial documents. The INC Ransom group is threatening to publish all of the stolen data if the ransom is not paid. The UK’s National Cyber Security Centre is assisting the NHS Trusts with their investigations to understand the impact of the attacks.
The INC Ransom group was behind an attack on another NHS trust earlier this year, NHS Dumfries and Galloway in Scotland. The attack caused major disruption to patient services and involved the theft of around 3TB of data. INC Ransom published the data of 150,000 patients on its leak site when the ransom was not paid. INC Ransom has also conducted several attacks on healthcare organizations in the United States, including McLaren Health Care in Michigan and the hospice-focused pharmacy OnePoint Patient Care.
Update: Alder Hey Children’s has confirmed that the ransomware group also stole a limited amount of data of Royal Liverpool University Hospital patients .
Hacker Claims Responsibility for Theft of 1.5 Million Patient Records in France
A couple of weeks ago, across the English Channel in France, an unnamed French Hospital suffered a major cyberattack involving the theft of the medical records of approximately 758,000 patients. A threat actor with the moniker “Nears” claimed responsibility for the attack, and claimed to have stolen 1.5 million patient records from multiple healthcare facilities in France, and offered the 758,000 records for sale. The hacker claimed to have gained access to Software Medical Group’s electronic health record solution, MediBoard. Software Medical Group confirmed that a MediBoard account had been compromised by using credentials stolen from the hospital rather than exploiting a vulnerability or misconfiguration and that the compromised data was hosted by the hospital rather than Softway Medical Group. All of the affected hospitals were run by the healthcare organization, Aléo Santé.
