Hospitals Targeted in Ransomware Attack

By Leakd.com Authors

December 09, 2024

Three more hospitals have come under a large-scale data breach by the ransomware group INC Ransom, in a chain of sophisticated attacks aimed at healthcare systems. The attackers stole patient records, donor reports, procurement data, and more.

Experts predict that hospital cyberattacks will continue to rise in 2025. Unfortunately, little has been publicly revealed concerning the details surrounding these attacks. However, the following is what we know so far.

Alder Hey Children's NHS Foundation Trust confirmed that it, along with the Liverpool Heart and Chest Hospital and Royal Liverpool University Hospital, had been impacted by a data breach on Thursday, November 28th. Furthermore, the trust explained that the breach was the result of “a single cyber attack that has impacted three NHS organisations”.

The threat actors were able to gain access to the data through a digital gateway service shared by Alder Hey and Liverpool Heart and Chest healthcare providers, including some data belonging to Royal Liverpool University Hospital.

The purpose of a digital gateway service is that it acts as an intermediary, which facilitates secure communication and data exchange between different digital systems, networks, or services. Compromising the digital gateway allowed the hackers to gain a foothold in the network.

The hackers uploaded screenshots of the data breach on social media on November 28th, which accelerated the need to analyze the incident to fully understand the scope of the intrusion before further damage could be done. “The investigation into the data may take some time, and there is a possibility that the attacker may publish the data before our investigation is concluded,” the Trust said.

inc ransom — Image: INC Ransom claim leak site

Thankfully, the hospital services remain unaffected by the breach, which is not connected to the breach at Wirral University Teaching Hospital NHS Foundation Trust, which was targeted just days before, resulting in outpatient appointments being canceled for several days.

Dr. Saif Abed, a globally recognized expert in healthcare cybersecurity and cyber-policy, and a former NHS doctor, commented on the recent healthcare security breaches. He predicted that 2025 will see an increase in healthcare cyber attacks.

“The NHS supply chain is broken. Too many suppliers are wilfully ignoring cybersecurity compliance standards and are a gateway for attacks against NHS trusts,” he said.

Abed criticized the UK government’s current position regarding cybersecurity regulations, explaining that they need to become tougher by launching an independent inquiry into NHS cybersecurity and patient safety.

Maybe then the NHS will be ready to withstand the next attack, rather than being sitting ducks. Attacks are evolving. For this reason, and many others, I always say, “It is not a matter of if, but when.”

Commenting on the incident, Will Thomas, SANS InstructorCitrixBleed (CVE-2023-4966) and CTI researcher said that the INC Ransom group is known to exploit, a critical software vulnerability first discovered in 2023 in Citrix NetScaler ADC and NetScaler Gateway appliances. This allows threat actors to bypass multifactor authentication (MFA) and carry out session hijacking.

He added that INC Ransom is known to use CitrixBleed (CVE-2023-4966), a critical software vulnerability found in 2023 in Citrix NetScaler ADC and NetScaler Gateway appliances. This vulnerability allows threat actors to bypass multifactor authentication (MFA) and hijack legitimate user sessions.