NHS trusts’ data ‘stolen’ in cyberattack

NHS trusts had information stolen in the latest cyberattack on the UK health service, with concerns raised that patient data might be vulnerable in such incidents.

University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust have been named as those exposed via a recently discovered exploit.

NHS England the UK’s top cybersecurity defence team at the National Cybersecurity Centre (NCSC).

Cody Barrow is the chief executive of EclecticIQ and previously worked at the Pentagon, US Cyber Command and the NSA. The firm analyses cyberattacks and uncovered the extent of this incident.

He told UK News such attacks raise the “potential for unauthorised access to highly sensitive patient records”.

Data was taken clandestinely

Analysts at EclecticIQ have identified victims of the hack spanning agencies and businesses across Scandinavia, the UK, US, Germany, Ireland, South Korea and Japan.

Rather than a ransomware attack, data was taken clandestinely after hackers exploited holes in software.

In this case, the vulnerability was in a piece of software called Ivanti Endpoint Manager Mobile (EPMM) – a programme that helps businesses manage employee phones.

The hole in Ivanti’s software was first discovered on 15 May, and it has since been fixed – although there are warnings that systems previously exploited could still be vulnerable.

The vulnerability in Ivanti’s software allowed hackers to access, explore and run programmes on their target’s systems.

According to the experts at EclecticIQ, the kind of data accessed included staff phone numbers, IMEI numbers, and then technical data like authentication tokens.

Such attacks can leave hackers able to access other data like patient records and further parts of the network via a process called remote code execution (RCE) – running programmes on compromised systems.

The analysts said they have identified the hackers exploiting the Ivanti backdoor as having used an IP address based in China, but this could be a smokescreen, as the CIA and other agencies also operate from the far east.

Such attacks can occur when hackers use an automated scan of the internet to find examples of vulnerable software, rather than being targeted.

Mr Barrow told News agencies in the UK: “This situation represents another urgent wake-up call for the NHS. With threat actors actively exploiting these vulnerabilities, we’re not looking at a distant or theoretical risk. The targeting is happening now, and the consequences could be felt across the healthcare system.

“The potential compromise scope goes well beyond data theft. We’re looking at the potential for unauthorised access to highly sensitive patient records, the disruption of crucial appointment systems, and even interference with critical medical devices that are vital for daily patient care.”

“This strikes at the heart of patient safety and care delivery,” Mr Barrow added. “The impact wouldn’t be isolated, it could cause cascading effects cancelled surgeries, delays in urgent treatments, and medical devices failing when needed most. We’ve seen this before.

Past cyberattacks have shown the chaos

“Past cyberattacks have shown the chaos that ensues, directly threatening patient outcomes, putting lives at risk and forcing frontline staff to work under extreme pressure.

“Beyond immediate operational chaos, these vulnerabilities also profoundly erode public trust in the NHS’s capacity to safeguard both their data and their health.

“The immediate directive for NHS trusts to engage their cybersecurity teams underscores the severity. The response to this kind of cyber threat needs to be treated with the same urgency as a medical emergency.”

A spokesperson for NHS England said: “We are currently investigating this potential incident with cybersecurity partners, including the National Cyber Security Centre, and the trusts mentioned.

“NHS England provides 24/7 cyber monitoring and incident response across the NHS, and we have a high severity alert system that enables trusts to prioritise the most critical vulnerabilities and remediate them as soon as possible.”

Ivanti software caused the vulnerability

A spokesperson for Ivanti said they had released a fix for the vulnerability in their software.

A NCSC spokesperson in the UK said: “We are working to fully understand the impact following reports that critical vulnerabilities in Ivanti Endpoint Manager Mobile are being actively exploited.

“The NCSC strongly encourages organisations to follow vendor best practice to mitigate vulnerabilities and potential malicious activity.

“Vulnerabilities are a common aspect of cyber security, and all organisations must consider how to most effectively manage potential security issues.”

“We remain committed to collaboration and transparency with our stakeholders and the broader security ecosystem,” it added.

“At the time of disclosure, we are aware of a very limited number of on-premise EPMM customers whose solution has been exploited.”