Full Report
Alder Hey Children’s NHS Foundation Trust said a single attack compromised the systems of three NHS entities
Analysis Summary
# Incident Report: Multi-Hospital Data Breach Via Shared Gateway
## Executive Summary
An attack attributed to the ransomware group INC Ransom resulted in unauthorized access to sensitive data across three Liverpool-area healthcare organizations, notably affecting Alder Hey Children's Hospital. The breach occurred via a shared digital gateway service, leading to the exfiltration of patient records and operational data. Response efforts focused on containment, forensic investigation in collaboration with the NCA, and preparing for potential data publication while maintaining critical hospital services.
## Incident Details
- Discovery Date: November 28, 2024 (When INC Ransom first claimed the attack)
- Incident Date: Pre-November 28, 2024 (The attack occurred leading up to the claim)
- Affected Organization: Alder Hey Children's NHS Foundation Trust, Liverpool Heart and Chest Hospital, and Royal Liverpool University Hospital (minor impact)
- Sector: Healthcare (NHS)
- Geography: Liverpool, UK
## Timeline of Events
### Initial Access
- Date/Time: Unknown, prior to November 28, 2024.
- Vector: Unauthorized access to a **digital gateway service** shared between Alder Hey Children’s Hospital and Liverpool Heart and Chest Hospital.
- Details: This gateway provided the entry point for the attackers.
### Lateral Movement
- Details: The attacker gained access to systems containing data from Alder Hey Children’s NHS Foundation Trust and Liverpool Heart and Chest Hospital, and a small amount of data from Royal Liverpool University Hospital, indicating successful movement across networked resources accessible via the gateway.
### Data Exfiltration/Impact
- Details: The ransomware group INC Ransom claimed to have obtained large-scale data, specifically mentioning patient records, donor reports, and procurement data spanning 2018-2024 from the Trust. The exact scope of compromised data was being investigated.
### Detection & Response
- Date/Time: November 28, 2024 (When the ransomware group publicly claimed the breach).
- Details: The Trust acknowledged the claim, launched an investigation with the UK’s National Crime Agency (NCA) and external partners, and began securing impacted systems to prevent ongoing access. They also informed the Information Commissioner’s Office (ICO).
## Attack Methodology
- Initial Access: Compromise of a shared **digital gateway service**.
- Persistence: Details not specified, but the Trust worked to ensure attackers did not have continued access.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified, though access to various data types suggests network reconnaissance occurred.
- Lateral Movement: Movement across systems belonging to three linked hospitals.
- Collection: Gathering patient records, donor reports, and procurement data (2018-2024).
- Exfiltration: Data was stolen and threatened to be published by the threat actor.
- Impact: Data breach affecting millions of individuals across three healthcare providers.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Patient records, donor reports, and procurement data (2018-2024). Affecting three major healthcare facilities.
- Operational: Hospital services at the three locations continued to run normally, and patients were advised to keep appointments. System reconnection was planned "when it is safe to do so."
- Reputational: Significant reputational damage, particularly concerning the compromise of children's hospital data.
## Indicators of Compromise
- Network indicators: None explicitly stated (URLs/IPs defanged).
- File indicators: None explicitly stated.
- Behavioral indicators: Unauthorized access to shared digital gateway leading to network exploration and data staging/exfiltration.
## Response Actions
- Containment measures: Progress made in securing impacted systems to ensure attackers did not have continued access.
- Eradication steps: Focused on removing attacker access and preparing for safe system reconnection.
- Recovery actions: Planning to sequentially bring systems back online once deemed safe, following ICO guidance for breach notification.
## Lessons Learned
- Key takeaways: Reliance on shared infrastructure (digital gateway) can create a single point of failure and broaden the impact scope across multiple organizations.
- What could have been done better: Potential lack of segmentation or enhanced monitoring on the shared gateway service prior to the incident. The investigation into compromised data scope is time-consuming.
## Recommendations
- **Infrastructure Segmentation:** Review and enhance segmentation between shared services and core operational networks, especially in critical infrastructure environments like healthcare.
- **Gateway Security:** Implement rigorous access controls, multi-factor authentication, and continuous monitoring specifically for shared digital gateway services.
- **Incident Preparation:** Ensure immediate isolation capabilities are in place to prevent lateral movement following compromise of a perimeter service.
- **Breach Notification:** Prepare communication frameworks to rapidly notify regulatory bodies (like the ICO) and affected parties once breach scope is confirmed.