Advanced begins forensic investigation into ransomware attack

Advanced are in the early stages of a forensic investigation into its recent ransomware attack which aims to find out the root cause and whether sensitive patient data has been accessed.

On 4 August, Advanced experienced disruption to its systems that have since determined to be the result of a cybersecurity incident caused by ransomware. The affected products, either directly or indirectly, are Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan and eFinancials. According to data from Digital Health Intelligence, Advanced provides various systems across 36 acute and mental health trusts in England.

The ransomware attack was conducted by a threat actor that Advanced believe, based on threat intelligence provided to them from the authorities and their expert advisors to date, is purely financially motivated.

It is not yet known whether sensitive data is at risk as a result of the incident, with the forensic investigation underway to discover more information about potential data access or exfiltration.

Simon Short, chief operating officer at Advanced, said: “We are continuing to make progress in our response to this incident. We are doing this by following a rigorous phased approach, in consultation with our customers and relevant authorities.

“We thank all our stakeholders for their patience and understanding as our team works around the clock to resume service as safely and securely as possible.”

Advanced has engaged with third-party forensic partners including Mandiant and the Microsoft DART teams to conduct an investigation and ensure that their systems are brought back online securely with enhanced protections.

In terms of remediation and recovery, Advanced are rebuilding and restoring systems in a separate and secure environment. They have implemented a defined process by which all environments will be systematically checked prior to securely bringing them online.

The company is also working with the NHS and the NCSC to validate the additional steps taken, at which point the NHS will begin to bring its services back online.

In the most recent update on the webpage on 10 August, Advanced say that for NHS 111 and other urgent care customers, they anticipate this phased process to begin within the next few days.

For other NHS customers, their current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks but are working tirelessly to bring this timeline forward.