NHS vendor Advanced won't say if patient data was stolen during ransomware attack

Updated on 2022-10-17: Advanced incident

Advanced, one of the biggest IT providers for the UK NHS, disclosed a security breach last week, admitting they had their IT network compromised following an infection with the LockBit 3.0 ransomware.

“The threat actor initially accessed the Advanced network using legitimate third-party credentials to establish a remote desktop (RDP) session to the Staffplan Citrix server. During the initial logon session, the attacker moved laterally in Advanced’s Health and Care

environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data.” Read more: Client data exfiltrated in Advanced NHS cyber attack

Updated on 2022-10-16: NHS vendor Advanced won’t say if patient data was stolen during ransomware attack

Well here’s what should be an easy one, but NHS vendor Advanced won’t say if patient data was compromised or taken during an August ransomware attack. If you recall, some NHS health trusts were struggling after IT systems were pulled offline following the incident, to the point where it was “compromising” care. But in a new report obtained by my TechCrunch colleague @carlypage_, Advanced said “legitimate” third-party credentials were used to break into its network (no MFA!), after which the LockBit 3.0 malware exfiltrated and encrypted its data. But was patient health data in there? Advanced’s COO wouldn’t say, or even if it had logs to determine what, if any, data was taken. LockBit 3.0 is a double-extortion racket, so if data was exfiltrated, fears it could soon appear online. It appears at least 16 care homes had patient data stolen, per @joetidy. Read more:

Update from Advanced on this: 'The 16 Data Controllers have been informed who in turn have notified their Data Subjects. All 16 were customers of our Residential and Domiciliary care products Caresys and Staffplan”. In other words – 16 care homes have had patient data stolen.

— Joe Tidy (@joetidy) October 14, 2022

In the update, Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control” – Via @CarlyPage_ 1/2https://t.co/xm7KPug5FK

— Brett Callow (@BrettCallow) October 13, 2022

Updated on 2022-10-14: NHS Managed Software Provider Says Some Data Were Exfiltrated in Ransomware Attack

A managed software provider for the UK’s National Health Service (NHS) has acknowledged that a cybersecurity incident disclosed this summer resulted in the exfiltration of some sensitive data. Advanced was forced to “disconnect the entire Health and Care environment” in early August; the incident has caused disruptions to NHS.

Note

Looks like once again reusable passwords enabled a breach at a service provider: “Access was gained via Advanced’s network using legitimate third-party credentials to set up a Remote Desktop session to the Staffplan Citrix server.” Make sure support for multifactor authentication/passkey support is a key requirement when your organization is looking at any third party services.
As of October 13th, 90 percent of the affected sites were back online, a bit longer than the initial projection of seven to twenty-one days to recover. Interesting note is the recovery is expected to be on the order of 10x any ransom payment requested. When you include costs of hiring additional incident response expertise, staff to rebuild and re-assure systems, and add in costs related to loss of services to customers, 10x seems conservative. Point is – make sure that you’re truly prepared for the costs associated with a breach, talk through all the resources required and time expected, then consider doubling it.

Read more in

LockBit 3.0 malware forced NHS tech supplier to shut down hosted sites

Updated on 2022-10-13

MSP to the U.K NHS, Advanced, confirmed the August cyberattack affected a limited amount of data related to 16 of its Caresys and Staffplan customers. Read more: LockBit 3.0 malware forced NHS tech supplier to shut down hosted sites

Updated on 2022-10-05: Ransomware attack affecting U.K. patient care months later

It’s now been two months since a ransomware attack on Advanced, a major IT vendor for the U.K.’s National Health Service, but its aftermath lingers on and is still “compromising” the quality of provided care, according to the CEO of one of the affected NHS trusts. Check-ins, notes, and the NHS’ non-emergency hotline remain affected, amid ongoing fears that massive amounts of patient data was stolen. Replacement systems are in place but they’re time consuming and cumbersome. There’s absolutely no excuse at this point for this extreme level of jackassery. Computer Weekly also has more.

There should probably be a public enquiry into this, or at least send in the ICO, as at the moment as far as I know there’s no independent view about supplier security ransomware risk in NHS. https://t.co/4O6b1WRJbD

— Kevin Beaumont (@GossiTheDog) September 28, 2022

Overview: NHS Outage Due to Cyberattack Against Managed Service Provider

The UK’s National Health Service (NHS) is experiencing an outage after a managed service provider suffered a cyberattack. The incident is affecting NHS’s 111 service, which is designed for people who need urgent health care, but not for life-threatening situations. The 999 emergency services number does not appear to be affected. The situation is expected to be resolved this week.

Note

The question is how insulated are you from compromise at your third-party providers. Make sure that your DR plans address both directly and indirectly connected systems. Whether a failure in the feed you send to the bank for payroll processing or outsourced/cloud services directly connected to your network, be sure to know what impacts are possible and what your recovery option is. Make sure that you have segmentation and monitoring, appropriate geographic distribution as well as redundancy of connections.