The U.K.’s largest NHS trust has confirmed it’s investigating a ransomware incident as the country’s public sector continues to battle a rising wave of cyberattacks.
Barts Health NHS Trust, which runs five London-based hospitals and serves more than 2.5 million patients, was recently added to the dark web leak site of the ALPHV ransomware gang. The gang, also known as BlackCat, says it has stolen 70 terabytes of sensitive data in what it claims is the biggest breach of healthcare data in the United Kingdom.
Samples of the allegedly stolen data, seen by TechCrunch, include employee identification documents, including passports and driver licenses, and internal emails labeled “confidential.”
When asked by TechCrunch, a Barts Health spokesperson did not dispute that it was affected by a security incident that involved the exfiltration of data, nor did they dispute the legitimacy of the stolen data samples shared by ALPHV. “We are aware of claims of a ransomware attack and are urgently investigating,” the spokesperson, who did not provide their name, told TechCrunch.
ALPHV, which first listed Barts Health on June 30, wrote that the NHS Trust had three days to contact the gang to prevent the publication of data, “most of it citizens [sic] confidential documents.” At the time of writing, the full trove of allegedly stolen data has not been published.
This incident is the second breach of NHS data in recent weeks. As first reported by the Independent, a June ransomware attack on the U.K.’s University of Manchester saw hackers access an NHS dataset that holds information on 1.1 million patients across 200 hospitals. The compromised data — gathered by the university for research purposes — includes NHS numbers and the first three letters of patients’ postcodes, according to reports.
When asked by TechCrunch, University of Manchester spokesperson Ben Robinson declined to comment on the reported theft of NHS data, but confirmed that the university had experienced a security incident that led to the exfiltration of data from its systems.
“We confirmed on 23 June that our systems have been accessed and student and alumni data has been copied. Individuals have been informed of this cyber incident and offered support and advice to further protect their data, Robinson said. “Our in-house data experts and external support are working around-the-clock to resolve this incident and respond to its impacts, and we are not able to comment further at this stage.”
The National Cyber Security Centre, the U.K.’s cybersecurity agency, is investigating the incident. NHS England declined to comment.
Cyberattack aftermath
The U.K.’s public sector has battled a wave of cyberattacks in recent months.
Ofcom, the U.K.’s communications regulator, recently confirmed it was among the organizations to have been compromised by the Clop ransomware gang’s mass-exploitation of a security flaw in Progress Software’s MOVEit Transfer managed file transfer service, and the University of the West of Scotland (UWS) has confirmed that it’s experiencing an “ongoing cyber incident,” but kept light on details.
One of the largest ongoing cyber incidents impacting the U.K. public sector resulted from a May ransomware attack on Capita, a British outsourcing giant that provides critical services for the U.K. government.
As a result of the attack, which was claimed by the Black Basta ransomware group, more than 90 organizations reported breaches of personal information. This included the Universities Superannuation Scheme (USS), the U.K.’s largest private pension provider, which said that the personal details of almost half a million members were held on servers accessed during the breach.
Last week, Capita confirmed that its own pension fund was also impacted by the cyberattack. In a letter shared with The Times, Capita told its staff members — three months after the breach — that it had “identified evidence that the following personal data relating to you is within the data compromised and/or copied from Capita’s systems.”
When asked by TechCrunch, Capita did not dispute the reporting, but declined to say how many, if not all, of its 61,000 employees were impacted or what types of data were accessed.
“Capita continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data,” a Capita spokesperson, who declined to be named, told TechCrunch. “This is a complex investigation and the process is ongoing. We continue to inform those affected.”
Just days after news of the Capita breach broke, TechCrunch reported that the company had experienced a second security incident after discovering that Capita had left a trove of data exposed online for seven years. Capita told TechCrunch that the unsecured Amazon-hosted storage bucket, which contained approximately 3,000 files totaling 655 gigabytes in size, contained “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice.”
Since, however, a number of U.K. councils have confirmed that the incident left residents’ sensitive data exposed to the public internet.