A cyber-attack has rocked the healthcare sector in Liverpool, UK, affecting three prominent healthcare organizations, including a children’s hospital. Alder Hey Children’s NHS Foundation Trust confirmed the breach, revealing that cybercriminals gained unauthorized access to data from Alder Hey Children’s Hospital, Liverpool Heart and Chest Hospital, and Royal Liverpool University Hospital.
The breach was first claimed by the ransomware group INC Ransom on November 28, stating that they had obtained extensive data from patient records, donor reports, and procurement data spanning from 2018 to 2024 from the Trust. The Trust immediately acknowledged the claim and initiated an investigation in collaboration with the UK’s National Crime Agency (NCA) and external partners.
According to the Trust, the attackers gained access to the data through an unauthorized entry into a digital gateway service shared by Alder Hey and the Liverpool Heart and Chest Hospital. This breach resulted in the unlawful extraction of data from the aforementioned healthcare organizations, with the extent of the compromised data still under investigation.
The Trust has warned that the attackers may potentially leak the compromised data before the investigation is concluded, highlighting the urgency of the situation. Despite the breach, hospital services at the affected locations are operating normally, and patients are encouraged to attend appointments as scheduled.
Efforts are underway to secure the impacted systems and prevent any continued access by the attackers. The Trust has also assured that they are following guidelines from the Information Commissioner’s Office (ICO) and will directly contact and support individuals impacted by the breach.
Commenting on the incident, Will Thomas, a SANS Instructor and CTI researcher, expressed concern over the severity of the attack but noted that it was reassuring that hospital services remained unaffected. He pointed out that IT systems remain a vulnerable point for the healthcare sector, as evidenced by previous ransomware attacks on the NHS by various cybercriminal groups.
The reference to a ‘digital gateway service’ in this incident aligns with the suspicion that the attackers initially gained access through the Citrix infrastructure. It is crucial for healthcare organizations to strengthen their cybersecurity measures to prevent such breaches in the future.
It is important to note that this incident is unrelated to a recent incident at Wirral University Teaching Hospitals in the same region. As investigations continue and security measures are enhanced, healthcare organizations must remain vigilant against cyber threats to safeguard sensitive patient data and ensure smooth operations.