NHS ransomware attack: what happened and how bad is it?

Cyber-attacks on health bodies appear to be on the rise again after a hiatus early in the pandemic

Fears for patient data after attack on NHS software supplier

A ransomware attack on a software supplier has hit the NHS across the UK and there are fears that patient data may have been the target.

Advanced, the UK company hit by the attack last week, said it was working with government agencies, including the National Cyber Security Centre and the Information Commissioner’s Office, in the aftermath of the incident.

Details such as the identity of the attacker(s) and the scale of the damage have yet to emerge, but here is a guide to what we know so far and how ransomware gangs operate.

What is a ransomware attack?

This is when a group gains access to an entity’s computer system, sometimes via an email “phishing” attack. They have also involved entering a virtual private network (VPN) that is used by employees to access their employer’s internal computer systems when, for example, they are working from home.

Once inside, rogue actors deploy a piece of malware – malicious software – that encrypts computers, making it impossible to access their content. The bad actor then demands money in exchange for decrypting or unlocking the computers.

While data is not always taken during attacks, if it is it can be used as part of the negotiations. Ransomware gangs have created websites where stolen data is displayed.

How severe was the attack?

The attack on the morning of 4 August caused widespread outages across the NHS. The target was Advanced, a company that provides software for various parts of the health service. It affected services including patient referrals, ambulance dispatch, out-of-hours appointment bookings, mental health services and emergency prescriptions.

The impact can be worked out by looking at which Advanced systems were directly or indirectly hit. They included Adastra, which helps 111 call handlers dispatch ambulances and helps doctors access a patient’s GP records; Carenotes, which is used by mental health trusts for patient records; Caresys, which is used in care homes; Crosscare, which helps run hospices; and Staffplan, used by care organisations.

The Health Service Journal has reported that at least nine NHS mental health trusts have been affected by the outage, reducing their access to patients’ records. Advanced software is used in 36 acute trusts or mental health trusts in England, according to Digital Health Intelligence.

A leaked internal NHS England document seen by the Guardian has disclosed that “a number of NHS services, including NHS 111, some urgent treatment centres and some mental health providers use software that have been taken offline”.

In an email to staff reported by the Independent, the Oxford Health NHS foundation trust’s chief executive, Dr Nick Broughton, said: “The cyber-attack targeted systems used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings, triage, out-of-hours care, emergency prescriptions and safety alerts. It also targeted the finance system used by the trust.

“We have now been advised that we should prepare for a system outage that could continue for two weeks for Adastra and possibly longer than three weeks for Carenotes.”

Advanced hinted in a statement late on Wednesday that a full recovery for some services could take weeks. Apart from work to get 111 back on track, contingency plans would have to be in place “for at least three to four more weeks”, it said. NHS England said some 111 callers may face longer waits than usual.

Who might be behind the attack?

No group has been named as the attacker, but it has been reported that it is likely to be a criminal gang rather than a state organisation.

The most notorious ransomware group in recent times is the one behind attacks using the Conti malware, which hobbled the Irish healthcare system last year and the Costa Rican government earlier this year.

This Russian-linked criminal group appears to have wound down its Conti malware attacks. However, there has been widespread speculation that the same group is behind a new piece of malware called Black Basta. There is no evidence that the Conti/Black Basta group is behind the NHS attack and there are many other potential candidates.

There are a variety of ransomware groups out there, with different malware (the names of the malware and the groups behind them are often viewed as interchangeable). Names of malware operations that have been linked to healthcare attacks over the past year include BlackCat, Quantum, Hive and AvosLocker.

Are healthcare organisations a popular target?

There had been signs of a hiatus in attacks on health organisations during the pandemic, with the ransomware group Maze saying it would not hit medical targets. But even before the Advanced attack it seemed the situation was changing. For instance, the Irish healthcare system attack was in May 2021.

The number of health organisations around the world targeted by cyber-attacks rose 90% in the three months to 30 June compared with the first three months of 2022, according to the risk consultancy Kroll. This study was based on the 3,200 incidents across all sectors reported to the consultancy over the past 12 months.

Ioan Peters, the managing director of cyber risk at Kroll, said: “This latest cyber-attack and possible data extraction impacting the NHS comes as healthcare organisations across the world are facing increased pressure from cybercriminals.”

He said the study showed healthcare was the most targeted sector and that “we’ve definitely reached the end of the truce that some criminal groups instituted earlier in the Covid pandemic”.

In the healthcare ransomware cases Kroll had seen, there was a “double extortion” tactic in which data was taken before the victim’s network was encrypted, and then the hackers threatened to leak the data in an attempt to gain leverage during negotiations.


Dan Milmo Global technology editor

The GuardianTramp

Related Content

Article image
Cybersecurity stocks boom after ransomware attack
Companies see share prices rise sharply amid expected increase in spending on IT security after WannaCry hack

Nick Fletcher and Haroon Siddique

16, May, 2017 @3:35 PM

Article image
Cyber-attack set to escalate as working week begins, experts warn
Europol and NHS fear further disruption when workers switch on computers for first time since spread of ransomware

Robert Booth

15, May, 2017 @6:26 AM

Article image
What is WannaCry ransomware and why is it attacking global computers?
Malicious software has attacked computers across the NHS and companies in Spain, Russia, the Ukraine and Taiwan. What is it and how is it holding data to ransom?

Alex Hern and Samuel Gibbs

12, May, 2017 @4:16 PM

Article image
The ransomware attack is all about insufficient funding of the NHS | Charles Arthur
Amber Rudd, the home secretary, can burble all she wants but the Tories have overseen chaos in NHS computing systems

Charles Arthur

13, May, 2017 @12:21 PM

Article image
Ransomware attacks: Putin says Russia is not responsible - as it happened
Businesses and NHS brace for fresh impact as minister blames Labour for UK’s cyber-security failings

Jamie Grierson

15, May, 2017 @2:51 PM

Article image
The NHS trusts hit by malware – full list
Global cyber-attack hits 40 NHS trusts in England and Scotland, compromising IT systems that underpin patient safety

Sarah Marsh

12, May, 2017 @10:34 PM

Article image
Ransomware hackers steal plans for upcoming Apple products
Group behind REvil ransomware claims stolen files include plans for two laptops and a new Apple Watch

Alex Hern

22, Apr, 2021 @1:37 PM

Article image
NHS cancer patients hit by treatment delays after cyber-attack
Hospitals across the country were forced to cancel routine procedures and divert emergency cases after malware attack

Sarah Marsh

14, May, 2017 @6:57 PM

Article image
Operations cancelled as Hunt accused of ignoring cyber-attack warnings
Regulator said last summer that threat of attacks had put patient data at risk and jeopardised clinicians’ access to records

Denis Campbell and Haroon Siddique

15, May, 2017 @12:58 PM

Article image
NHS 111 expects delays after cyber-attack causes system outage
Services still available but will run at reduced capacity over the weekend

Nadeem Badshah

05, Aug, 2022 @10:45 PM