NHS vendor Advanced won’t say if patient data was stolen during ransomware attack

The hackers used "legitimate" credentials to breach the vendor's network

Advanced, an IT service provider for the U.K.’s National Health Service (NHS), has confirmed that attackers stole data from its systems during an August ransomware attack, but refuses to say if patient data was compromised.

Advanced first confirmed the ransomware incident on August 4 following widespread disruption to NHS services across the U.K. The attack downed a number of the organization’s services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information.

In an update dated October 12 and shared with TechCrunch on Thursday, Advanced said the malware used in the attack was LockBit 3.0, according to the company’s incident responders, named as Mandiant and Microsoft. LockBit 3.0 is a ransomware-as-a-service (RaaS) operation that hit Foxconn earlier this year.

In its updated incident report, Advanced said that the attackers initially accessed its network on August 2 using “legitimate” third-party credentials to establish a remote desktop session to the company’s Staffplan Citrix server, used for powering its caregiver’s scheduling and rostering system. The report implies there was no multi-factor authentication in place that would block the use of stolen passwords.

“The attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware,” Advanced said in the update.

Advanced said some data pertaining to 16 Staffplan and Caresys customers (referring to NHS trusts) was “copied and exfiltrated,” a technique known as double-extortion, where cybercriminals exfiltrate a company’s data before encrypting the victim’s systems.

In the update, Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by TechCrunch, Advanced chief operating officer Simon Short declined to say if patient data is affected, or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated.

Lockbit 3.0’s dark web leak site did not list Advanced or NHS data at the time of writing. Short also declined to say if Advanced paid a ransom.

“We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position changes,” Advanced said in the update.

Advanced said its security team disconnected the entire Health and Care environment to contain the threat and limit encryption, which downed a number of services across the NHS. The extended outage left some trusts unable to access clinical notes and others were forced to rely on pen and paper, BBC News reported in August.

Advanced said its recovery from the incident is likely to be slow, citing an assurance process set by the NHS, NHS Digital and the U.K. National Cyber Security Center.

“This is time-consuming and resource intensive and it continues to contribute to our recovery timeline,” Advanced said. “We are working diligently and bringing all resources to bear, including outside recovery specialists, to help us restore services to our customers as quickly as possible.”

The healthcare industry remains a top priority for ransomware actors. Earlier this month, U.S. hospital giant CommonSpirit was hit by a cybersecurity incident that is disrupting medical services across the country — which it later confirmed was a ransomware attack.