Alder Hey Children’s NHS Foundation Trust in Liverpool recently shared some unsettling news. They and Liverpool Heart and Chest Hospital NHS Foundation Trust discovered that they were victims of an INC Ransom cyberattack, which has compromised patient data across both hospitals, as well as Royal Liverpool University Hospital.
The breach came to light on November 28 when it was confirmed that criminals exploited a shared digital gateway between Alder Hey and Liverpool Heart and Chest. They accessed sensitive data from the IT systems of both hospitals and a small amount of information from Royal Liverpool. This incident is separate from a ransomware attack that occurred days earlier at Wirral University Hospitals NHS Foundation Trust, which has links to the RansomHub group.
On December 4, Alder Hey updated the public, stating that their investigation into the extent of the data theft is ongoing. They cautioned that the ransomware group might release the stolen data before this investigation wraps up. This shows their tough stance against giving in to criminals, which aligns with UK public sector policies. Alder Hey reassured everyone that frontline services continue without disruption and urged patients to keep their appointments as planned.
The Trust reported positive strides in their recovery efforts, working closely with the National Crime Agency to secure impacted systems. They also noted they were heeding advice from the Information Commissioner’s Office to notify and support anyone affected by the breach.
There’s also speculation around how the attackers infiltrated the system. Alder Hey suggested the criminals might have gained access via a Citrix vulnerability known as Citrix Bleed, tracked as CVE-2023-4966. This flaw allows session hijacking and data disclosure and has been widely exploited in various ransomware attacks, including some high-profile incidents involving groups like LockBit.
Rafe Pilling from Secureworks pointed out that criminal organizations are always on the lookout for vulnerabilities to exploit, regardless of the consequences for their targets. He noted that the healthcare sector is especially vulnerable, highlighting previous attacks on NHS Dumfries and Galloway. Though INC Ransom has focused on US-based victims since its inception in July 2023, its reach is extending globally, targeting a mix of industries, particularly healthcare and education.