Cyberattack on NHS trusts exposes staff data via Ivanti software vulnerability

Two major NHS trusts have been affected by a recent cyberattack that exposed staff data through a vulnerability in a third-party software system, raising new concerns about the security of healthcare IT supply chains.

University College London Hospitals NHS Foundation Trust (UCLH) and University Hospital Southampton NHS Foundation Trust were identified as victims of the breach, which stemmed from an exploit in Ivanti Endpoint Manager Mobile (EPMM), a tool used to manage mobile devices within organizations. The vulnerability was first discovered on May 15 and has since been patched by Ivanti. However, experts warn that systems already compromised may remain exposed to further risk.

The attack was not a ransomware incident but instead involved unauthorized and covert access to internal systems. According to cybersecurity firm EclecticIQ, which analyzed the breach, attackers gained access to information such as mobile phone numbers, International Mobile Equipment Identity (IMEI) numbers, and technical data like authentication tokens. This type of access, the firm noted, could potentially allow further infiltration into hospital networks, including patient records, through techniques like remote code execution (RCE).

UCLH confirmed the breach in a public statement, clarifying that the compromised system contained data related to staff mobile devices only and that there is currently "no evidence" patient data or passwords were accessed. The trust said it is working with NHS England and cybersecurity experts to investigate the incident further.

Sky News, which first reported the breach, was shown evidence indicating that malicious access to NHS systems had occurred. Analysts at EclecticIQ also revealed that similar attacks have impacted organizations across the UK, US, Germany, Ireland, Japan, South Korea, and Scandinavia. The activity was traced to an IP address based in China, and the tactics used in the breach mirrored those seen in previous operations by China-based threat actors. However, definitive attribution has not been established.

The National Cyber Security Centre (NCSC), the UK’s lead authority on cyber defense, is working with NHS England to monitor the situation. NHS England confirmed that it is providing support to affected trusts as part of an ongoing response.

The NHS has faced multiple cyberattacks in recent years. In June 2024, London hospitals were forced to cancel thousands of procedures after a ransomware attack on the blood testing company Synnovis. Another incident in November 2023 targeted Wirral University Teaching Hospital Trust, disrupting patient services and appointments.