Attacker gained access to data through a shared digital gateway service.
Three Merseyside NHS organisations were impacted via a single cyber-attack on a shared digital gateway service.
After a number of hospitals and facilities were hit in the past few weeks, Alder Hey Children's Hospital Trust said in a statement that cyber-criminals gained unlawful access to data through a digital gateway service shared by Alder Hey and Liverpool Heart and Chest Hospital.
“This has resulted in the attacker unlawfully getting access to systems containing data from Alder Hey Children’s NHS Foundation Trust, Liverpool Heart and Chest Hospital, and a small amount of data from Royal Liverpool University Hospital,” it said.
Full Facts
An investigation is still ongoing to determine the full facts around what data has been obtained unlawfully. However Alder Hay said it had “made progress in securing impacted systems and ensuring the attackers do not have continued access.”
“This means that we are in a position to begin to reconnect our systems when it is safe to do so.”
It also commented on screenshots of stolen data, which it said it is taking very seriously “while investigations continue into whether the attacker has obtained confidential data.”
The statement said this investigation may take some time, “and there is a possibility that the attacker may publish the data before our investigation is concluded.”
Commenting, Jake Moore, global cybersecurity advisor at ESET, said: “It must be assumed that once data is compromised it will at one stage make its way into the public domain via criminal channels whether measures to rectify the problems have been put in place or not.
“It becomes far more sinister when medical records are caught up in a data breach and can cause more stress on the innocent victims of these attacks. More protection is desperately needed in local hospitals and better measures are required to remove legacy systems and weakened supply chains.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
