Full Report
Two NHS England trusts could see highly sensitive patient records exposed
Analysis Summary
# Incident Report: Exploitation of Ivanti EPMM Vulnerability Targeting UK Healthcare
## Executive Summary
A malicious campaign, identified by EclecticIQ, targeted organizations globally by exploiting a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) hardware. Two UK National Health Service (NHS) trusts were reported as victims, potentially exposing sensitive patient and staff data. Response actions included monitoring by NHS England and collaboration with the NCSC, with assurance given that core health services were not affected and immediate patient data access could not be confirmed.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reports emerged recently based on EclecticIQ's findings.
- **Incident Date:** Attack campaign was active prior to the reporting date (May 28, 2025).
- **Affected Organization:** Multiple organizations across Scandinavia, UK, US, Germany, Ireland, South Korea, and Japan. Specifically named UK victims are University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust.
- **Sector:** Healthcare (NHS)
- **Geography:** Global, with significant impact noted in the UK.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified.
- **Vector:** Exploitation of an undisclosed vulnerability within Ivanti Endpoint Manager Mobile (EPMM) solutions.
- **Details:** Threat actors leveraged this vulnerability to gain initial entry into the targeted organizations' IT systems.
### Lateral Movement
- Details regarding specific lateral movement techniques within the compromised trusts were not provided in this summary view.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Potential unauthorized access to highly sensitive patient records, staff phone numbers, IMEI numbers, and technical authentication tokens. *Note: Sources close to the matter indicated no conclusive evidence of actual patient data access at the time of reporting.*
### Detection & Response
- **How it was discovered:** Identified and reported by the cybersecurity company EclecticIQ.
- **Response actions taken:** NHS England is actively monitoring the situation and collaborating with the UK’s National Cyber Security Centre (NCSC).
## Attack Methodology
- **Initial Access:** Exploitation of an unpatched vulnerability in Ivanti EPMM.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Potential access to authentication tokens was inferred, but specific methods are unknown.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering of staff phone numbers, IMEI numbers, and technical data.
- **Exfiltration:** Potential exfiltration of sensitive patient data (unconfirmed).
- **Impact:** Potential exposure of sensitive PII/PHI (Protected Health Information).
## Impact Assessment
- **Financial:** Not estimated.
- **Data Breach:** Potential exposure of patient records, staff phone numbers, and device identifiers (IMEI).
- **Operational:** NHS England confirmed that health services were "not currently affected."
- **Reputational:** High potential due to the involvement of NHS trusts and sensitive patient data.
## Indicators of Compromise
- **Network indicators:** None listed (Defanged).
- **File indicators:** None listed.
- **Behavioral indicators:** Activity indicating exploitation of the Ivanti EPMM vulnerability.
## Response Actions
- **Containment measures:** Not detailed beyond active monitoring.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Not detailed.
## Lessons Learned
- **Key takeaways:** Reliance on third-party hardware/software (like Ivanti EPMM) introduces significant supply chain risk, as zero-day or unpatched vulnerabilities can lead to widespread compromise.
- **What could have been done better:** Organizations relying on Ivanti EPMM should have had expedited patching processes or mitigation strategies in place for critical vulnerabilities affecting remote management devices.
## Recommendations
- **Prevention measures for similar incidents:** Organizations should audit all third-party remote management and endpoint solutions for known vulnerabilities (especially those publicized by vendors like Ivanti). Implement network segmentation around critical management infrastructure. Enhance monitoring specifically for unusual activity originating from or targeting Ivanti EPMM systems.