Skip to Content

NHS vendor Advanced won’t say if patient data was stolen during ransomware attack

Updated on 2022-10-17: Advanced incident

Advanced, one of the biggest IT providers for the UK NHS, disclosed a security breach last week, admitting they had their IT network compromised following an infection with the LockBit 3.0 ransomware.

“The threat actor initially accessed the Advanced network using legitimate third-party credentials to establish a remote desktop (RDP) session to the Staffplan Citrix server. During the initial logon session, the attacker moved laterally in Advanced’s Health and Care

environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data.” Read more: Client data exfiltrated in Advanced NHS cyber attack

Updated on 2022-10-16: NHS vendor Advanced won’t say if patient data was stolen during ransomware attack

Well here’s what should be an easy one, but NHS vendor Advanced won’t say if patient data was compromised or taken during an August ransomware attack. If you recall, some NHS health trusts were struggling after IT systems were pulled offline following the incident, to the point where it was “compromising” care. But in a new report obtained by my TechCrunch colleague @carlypage_, Advanced said “legitimate” third-party credentials were used to break into its network (no MFA!), after which the LockBit 3.0 malware exfiltrated and encrypted its data. But was patient health data in there? Advanced’s COO wouldn’t say, or even if it had logs to determine what, if any, data was taken. LockBit 3.0 is a double-extortion racket, so if data was exfiltrated, fears it could soon appear online. It appears at least 16 care homes had patient data stolen, per @joetidy. Read more:

Updated on 2022-10-14: NHS Managed Software Provider Says Some Data Were Exfiltrated in Ransomware Attack

A managed software provider for the UK’s National Health Service (NHS) has acknowledged that a cybersecurity incident disclosed this summer resulted in the exfiltration of some sensitive data. Advanced was forced to “disconnect the entire Health and Care environment” in early August; the incident has caused disruptions to NHS.


  • Looks like once again reusable passwords enabled a breach at a service provider: “Access was gained via Advanced’s network using legitimate third-party credentials to set up a Remote Desktop session to the Staffplan Citrix server.” Make sure support for multifactor authentication/passkey support is a key requirement when your organization is looking at any third party services.
  • As of October 13th, 90 percent of the affected sites were back online, a bit longer than the initial projection of seven to twenty-one days to recover. Interesting note is the recovery is expected to be on the order of 10x any ransom payment requested. When you include costs of hiring additional incident response expertise, staff to rebuild and re-assure systems, and add in costs related to loss of services to customers, 10x seems conservative. Point is – make sure that you’re truly prepared for the costs associated with a breach, talk through all the resources required and time expected, then consider doubling it.


Updated on 2022-10-13

MSP to the U.K NHS, Advanced, confirmed the August cyberattack affected a limited amount of data related to 16 of its Caresys and Staffplan customers. Read more: LockBit 3.0 malware forced NHS tech supplier to shut down hosted sites

Updated on 2022-10-05: Ransomware attack affecting U.K. patient care months later

It’s now been two months since a ransomware attack on Advanced, a major IT vendor for the U.K.’s National Health Service, but its aftermath lingers on and is still “compromising” the quality of provided care, according to the CEO of one of the affected NHS trusts. Check-ins, notes, and the NHS’ non-emergency hotline remain affected, amid ongoing fears that massive amounts of patient data was stolen. Replacement systems are in place but they’re time consuming and cumbersome. There’s absolutely no excuse at this point for this extreme level of jackassery. Computer Weekly also has more.

Read more:

Overview: NHS Outage Due to Cyberattack Against Managed Service Provider

The UK’s National Health Service (NHS) is experiencing an outage after a managed service provider suffered a cyberattack. The incident is affecting NHS’s 111 service, which is designed for people who need urgent health care, but not for life-threatening situations. The 999 emergency services number does not appear to be affected. The situation is expected to be resolved this week.


  • The question is how insulated are you from compromise at your third-party providers. Make sure that your DR plans address both directly and indirectly connected systems. Whether a failure in the feed you send to the bank for payroll processing or outsourced/cloud services directly connected to your network, be sure to know what impacts are possible and what your recovery option is. Make sure that you have segmentation and monitoring, appropriate geographic distribution as well as redundancy of connections.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.