A ransomware attack on an NHS software supplier last week is being investigated for potential theft of patient data, as experts warned that criminals could use personal information as leverage in negotiations.
Advanced, which provides services for NHS 111 and patient records, said it was investigating “potentially impacted data” and that it would provide updates when it had more information about “potential data access or exfiltration”. The UK data watchdog confirmed it was aware of the incident and was “making inquiries.”
The National Cyber Security Centre (NCSC), part of GCHQ, said it was “working with the company to fully understand the impact, while supporting the NHS”.
Alexi Drew, an information security consultant, said the involvement of the Information Commissioner’s Office (ICO), which oversees protection of people’s data in the UK, indicated serious concerns about whether personal data had been taken. “If the ICO is involved, they have to think that there is a credible risk that personal data has been stolen.”
Drew said ransomware gangs typically demanded a fee for decryption of files that had been locked up by the attack, but could also seek funds for the return of information or as a blackmail threat.
The Health Service Journal reported on Wednesday that a “system outage” of the Carenotes electronic patient record – an Advanced product – had affected at least nine NHS mental health trusts that face at least three weeks without access to vulnerable patients’ records. The attack has also affected the Advanced Adastra system, which helps 111 administrators dispatch ambulances and is a patient management system for emergency care.
Alan Woodward, a professor of cybersecurity at Surrey University, said any patient data on the affected Advanced systems would be at risk. “I think it’s safe to assume that anything they hold on those systems is at risk.” He added: “Even if it was ransomware … that doesn’t mean data was not stolen. Ransomware has evolved to not simply encrypt the data on the users’ devices but also to steal the data (the item of real value) and demand a ransom for its safe return/destruction.”
In a statement on Wednesday Advanced confirmed it had suffered a ransomware attack and said it believed it had “contained” the incident but some services could take weeks to recover.
“With respect to the NHS,” it said. “We are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online. For NHS 111 and other urgent care customers, we anticipate this phased process to begin within the next few days. For other NHS customers, our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks.”
Some ransomware gangs had declared a “truce” on attacking healthcare organisations during the Covid pandemic but cybersecurity specialists have warned that hostilities have resumed.
In May 2017 the NHS was badly affected by the WannaCry ransomware attack. The National Audit Office said 19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked and five hospitals had to divert ambulances elsewhere.
English
Arabic
Chinese (Simplified)
Dutch
French
German
Italian
Portuguese
Russian
Spanish