NHS trusts hit by cyber attack, patient data feared stolen

Several NHS trusts have had data stolen in the latest cyberattack to target the UK health service, raising significant concerns about the potential exposure of sensitive patient information.

University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust have been identified as being exposed through a recently discovered software vulnerability.

Experts warn that this incident could lead to “unauthorised access to highly sensitive patient records”. Cody Barrow, CEO of EclecticIQ, a firm that analyzes cyberattacks and uncovered the extent of this incident, emphasized the severity, telling Sky News: “This situation represents another urgent wake-up call for the NHS”.

He added: “The potential compromise scope goes well beyond data theft. We’re looking at the potential for unauthorised access to highly sensitive patient records, the disruption of crucial appointment systems and even interference with critical medical devices that are vital for daily patient care”.

The attack exploited a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) software, a program used by businesses to manage employee phones. Although the flaw was discovered and fixed on May 15, systems previously exploited could still be vulnerable.

Hackers were able to access and run programs on targeted systems, obtaining data such as staff phone numbers, IMEI numbers, and authentication tokens. This type of access, known as remote code execution (RCE), could allow hackers to access further data, including patient records.

Analysts at EclecticIQ have identified the hackers as using an IP address based in China, with their methods resembling those of previous China-based actors. NHS England confirmed it is investigating the potential incident with cybersecurity partners, including the National Cyber Security Centre (NCSC).

An NHS England spokesperson stated: “NHS England provides 24/7 cyber monitoring and incident response across the NHS, and we have a high severity alert system that enables trusts to prioritise the most critical vulnerabilities and remediate them as soon as possible”. The NCSC is also working to understand the full impact in the UK.

Commenting on recent cyberattack on NHS trusts, Vivek Dodd, CEO at Skillcast, added:

“The recent cyberattack on NHS trusts highlights a concerning shift in the tactics used by hackers, exploiting vulnerabilities not in core clinical systems, but in employee management software. The use of a programme that helps businesses to manage employee phones as an entry point underscores how attackers are increasingly targeting peripheral but critical infrastructure to gain access.

“What makes this incident particularly severe is the exposure of special category data, including sensitive patient information and authentication credentials, elevating the risk and potential impact dramatically. It’s a stark reminder that cybersecurity strategies must extend beyond traditional IT systems to cover all connected software ecosystems, especially those managing mobile endpoints and staff devices.

“Alongside technical defenses, robust employee training is essential to ensure staff remain vigilant against social engineering and can respond effectively to potential security incidents. The involvement of a sophisticated attacker employing remote code execution to quietly infiltrate systems without triggering ransomware alerts illustrates the evolving complexity of cyber threats today.”