Data Breach , Governance , Incident Response

British NHS Trust Investigates Suspected Cyberattack

Barts Health NHS Trust Rules Out Ransomware as Cause
British NHS Trust Investigates Suspected Cyberattack
Pictured: Royal London Hospital, part of Barts Health NHS Trust. Credit: Matt Brown (Flickr/CC)

England's largest health trust has been hit by a suspected cyberattack that led to IT administrators taking many systems offline at four hospitals in London while the matter gets investigated. The trust says it has not yet determined whether the disruption was malicious but says it's concluded that no ransomware was involved. (Jan. 17 update: Barts has confirmed that the cyberattack was caused by Trojan malware.)

See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry

On the morning of Jan. 13, an internal email to employees of Barts Health Trust warned that the trust was suffering a "ransomware virus attack issue," followed by an afternoon communication warning that three of the trust's four hospitals had engaged "operating downtime procedures" for their pathology systems, Britain's Health Service Journal reported.

The publication added that a source at the trust reported that the attack had compromised both Windows XP and Windows 7 PCs, affected thousands of files and resulted in the trust deactivating file sharing while the matter is investigated.

Barts Health Trust comprises four east London hospitals: The Royal London, St Bartholomew's, Newham and Whipps Cross. The attack reportedly affected the first three hospitals.

A spokeswoman for the National Health Service trust tells Information Security Media Group that contrary to some "rumors," the trust has concluded that the disruption did not involve ransomware.

"We are urgently investigating this matter and have taken a number of drives offline as a precautionary measure," she says. "We have tried and tested contingency plans in place and are making every effort to ensure that patient care will not be affected."

Investigators have confirmed that the trust's Cerner Millennium patient administration system - its electronic health records system - as well as radiology systems had not been affected, the spokesman added.

Attackers Target Healthcare Organizations

Although it's not yet clear whether this was an attack involving malware, numerous NHS trusts have been - and continue to be - targeted by malware as well as ransomware.

Last month, England's Northern Lincolnshire and Goole NHS Foundation Trust issued a statement confirming that an October 2016 attack - resulting in many services being temporarily canceled - had been the result of ransomware. It blamed the attack on a strain of ransomware called Globe2, saying it infected systems via spear-phishing attacks. The trust reported that it didn't pay the ransom but that it did have to cancel 2,800 appointments during the 48 hours required to deal with the infection.

The NoMoreRansom.org initiative currently offers free decryption tools for Globe3 and earlier (see 'No More Ransom' Portal Offers Respite From Ransomware).

Barts Previously Suffered Ransomware Infection

Barts Health Trust, meanwhile, reported on July 31, 2016 - in response to a freedom of information request - that it had suffered one ransomware attack in the previous 12 months that resulted in an attacker encrypting "a PC or device or network" within the organization. The trust's Laura Hynds reported that its response had been to recover "by restoring encrypted files from backup."

Hynds said that no ransom had been paid and that the trust did not notify police about the incident (see FBI to Ransomware Victims: Please Come Forward).

Hynds noted that the trust runs anti-virus software on its networked devices.

While the Barts Health Trust investigation is continuing, the trust's ability to wipe and restore its systems - as revealed by the earlier incident - is good news, because that means that in the event of any future ransomware attacks, it wouldn't have to consider paying a ransom. But as with so many ransomware or other malware attacks, systems often must be taken offline, wiped and then restored, which can be a laborious process. For healthcare institutions, it also means that even well-prepared organizations may have to cancel or postpone crucial care (see Ransomware Extortion: A Question of Time).

This story was updated Jan. 16 to reflect the trust confirming that ransomware was not related to this incident.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network