Two NHS trusts have suffered cyber attacks which exposed staff data, prompting fresh calls for more robust supply chain security practices.
University College London Hospitals (UCLH) NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust were targeted in an attack which exploited a flaw in Ivanti Endpoint Manager Mobile (EPMM) - a tool used to manage employee mobile devices.
The flaw was discovered on May 15th, and has since been patched by Ivanti.
UCLH said it was investigating with the help of cybersecurity experts at NHS England, but said it had 'no evidence' that patient data was accessed.
"The UCLH system which was compromised contained data about staff mobile devices such as the mobile number and the IMEI number (a unique code to identify the phone on the mobile network)," it said in a statement. "It did not contain passwords or patient data."
According to reports from Sky News, which first revealed the incident, analysts at security firm EclecticIQ have identified other victims, including agencies and businesses across Scandinavia, the UK, the US, Germany, Ireland, South Korea, and Japan.
The attacks originated from a China-based IP address, although there's been no definite attribution.
NHS cyber attacks continue
The NHS has repeatedly fallen victim to hackers over the last couple of years.
In June 2024, for example, thousands of procedures at London hospitals were cancelled following a cyber attack on blood testing company Synnovis, claimed by the Russian-speaking ransomware group Qilin.
Similarly, last November Wirral University Teaching Hospital Trust in Merseyside was hit by a major cybersecurity incident that led to appointments being cancelled.
This latest attack highlights the risks of poor vendor security management within the NHS, according to Dray Agha, senior manager of security operations at Huntress.
"The breach reportedly stemmed from a recently discovered exploit in third-party software. This is a stark reminder that healthcare security isn't solely about the NHS trusts' own systems," said Agha.
"Robust vendor risk management, continuous vulnerability patching across the entire digital supply chain, and swift incident response coordination with suppliers are absolutely critical defences."
The NHS is all too aware of the problems it faces with regard to cyber threats, and recently launched a new cybersecurity charter aimed at strengthening vendor security practices.
Suppliers will be asked to adhere to eight core principles, including staying up to date with the latest patches, applying multi-factor authentication (MFA) on their networks and systems, keeping 'immutable' backups of all critical business data and conducting round-the-clock threat monitoring.
MORE FROM ITPRO
- Criminal records, financial data exposed in cyber attack on Legal Aid Agency
- Why DragonForce is growing in prominence
- The UK’s science funding agency is being bombarded with cyber attacks
-
How is the role of the CISO evolving?Supported Content This role now stands as a pivotal figure in organizational strategy and security posture
-
How AI agents are being deployed in the real worldSupported Content These intelligent systems, capable of independent decision-making and learning, are transforming how organisations detect, respond to, and manage security incidents
-
NHS England launches cyber charter to shore up vendor security practicesNews Voluntary charter follows a series of high-profile ransomware attacks
-
NHS supplier hit with £3m fine for security failings that led to attack
News Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway serviceNews Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
-
Major incident declared as Merseyside hospitals hit by cyber attackNews The incident, which has led to cancelled appointments, is just the latest in a series of attacks on healthcare organizations
-
Thousands of procedures canceled at London hospitals as Qilin releases blood test dataNews The attack on blood testing company Synnovis continues to affect patients, while the ransomware group follows through with its threats
-
Ransomware group threatens to publish 3TB of stolen NHS Scotland data after posting proof of attackNews NHS Dumfries and Galloway has confirmed some of the sensitive data stolen during the 15 March attack has been published by a known ransomware operator
-
Attack on third-party software vendor disrupts NHS ambulance servicesNews The ambulance services serve more than 10 million people across the south of England
