UK children's hospital investigating data breach after ransomware gang claims attack

Last night, ransomware gang INC added Alder Hey Children’s NHS Foundation Trust to its data leak site. It alleges to have stolen patient records, donor reports, and procurement data from 2018 to 2024. Comparitech contacted the children’s hospital in Liverpool for more information and the Trust subsequently released a statement.

In it, it confirmed it was aware of the threats made and was working to verify what data had potentially been stolen. It also confirmed that the attack wasn’t connected to the ongoing major incident at Wirral University Teaching Hospitals.

INC ransomware Alder Hey Children's Hospital

INC ransomware gang was also responsible for the February 2024 attack on NHS Dumfries and Galloway. This attack led to the exfiltration of data but no encryption of systems (which also appears to be the case with Alder Hey). After NHS Dumfries and Galloway didn’t meet the ransomware gang’s demands, 3TB of data was published online. The trust later confirmed this included “millions” of pieces of data, including x-rays, test results and correspondence between health teams, social care teams, and patients.

While the Trust continues its investigations, we highly recommend patients and staff members remain vigilant for any potential phishing messages and monitor accounts for any unusual activity.

The Trust’s statement reads as follows:

We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust. We are working with partners to verify the data that has been published and to understand the potential impact.
We are taking this issue very seriously and are working with the National Crime Agency as well as partner organisations to secure our systems and to take further steps in line with law enforcement advice as well as our statutory duties relating to patient data.
This incident is not linked to the ongoing incident at Wirral University Teaching Hospitals.
Our services are operating as normal, and patients should attend appointments as usual.

This week, Wirral University Teaching Hospital NHS Foundation Trust declared a major incident citing “cybersecurity reasons.” This resulted in a number of IT systems being taken offline and patient appointments being canceled. In its latest update (11/28), the hospital said it expects the issues to continue into the weekend. While it hasn’t disclosed any further details into the nature of this incident, it does bear all of the hallmarks of a ransomware attack.

Who is INC?

INC first appeared in July 2023 and has since gone on to claim 199 victims–64 of which have been confirmed by the entity involved. Its initial attack vectors include spear phishing and exploiting known vulnerabilities in software.

While INC targets a range of industries, some of its biggest attacks have been on the healthcare industry. OnePoint Patient Care in the US has just increased the number of patients involved in its August 2024 attack to over 1.7 million.

It has also been confirmed as the gang behind recent attacks on Hungary’s Defense Procurement Agency (Védelmi Beszerzési Ügynökség Zrt.) and Czech aerospace company PBS Group. In the case of PBS Group, INC has just listed the stolen data (2TB) for sale for $1 million.

Ransomware attacks on hospitals and clinics

Unfortunately, this isn’t the first time a ransomware gang has targeted a children’s hospital. In April, Ann & Robert H. Lurie Children’s Hospital of Chicago was hit with a $3.4 million ransom by the Rhysida gang which it refused to pay. The hospital later notified 791,784 people of a data breach stemming from the attack.

More recently, Boston Children’s Health Physicians notified patients of a data breach after it suffered a ransomware attack via its IT provider, ATSG, Inc. ATSG issued notifications to over 909,000 people but the number of BCHP patients potentially affected hasn’t been disclosed yet. 

So far this year, we’ve noted 154 attacks on hospitals and clinics across the globe. These have affected nearly 18.4 million records and have seen average ransom demands of over $6.3 million.

We have also logged 212 unconfirmed attacks on this sector this year so far.

About Alder Hey Children’s NHS Foundation Trust

Located in Liverpool, UK, Alder Hey Children’s NHS Foundation Trust is one of the largest children’s hospitals in Europe. It employs 4,115 people and treats over 450,000 children each year.