Client data exfiltrated in Advanced NHS cyber attack

  • 13 October 2022
Client data exfiltrated in Advanced NHS cyber attack

Health and care software supplier Advanced has confirmed that client data was accessed and extracted by hackers during a cyber incident in August 2022.

The variant of malware used by the perpetrators was LockBit 3.0, during the attack that has left some trusts without access to key software systems for two months.

In a new summary of the incident seen by Digital Health News, Advanced confirmed that the perpetrators of the attack were financially motivated and “were able to
temporarily obtain a limited amount of information from our environment pertaining to approximately 16 of our Staffplan and Caresys customers”. Both software systems are used to manage care homes and services.

Lockbit 3.0 uses the so-called double extortion method, involving both encrypting and exfiltrating (or transferring) a victim’s files to another device.

Advanced said that it has notified each of those affected customers as the controllers of the exfiltrated data.

Describing how the attack began, the Advanced report states: “The threat actor initially accessed the Advanced network using legitimate third-party credentials to establish a remote desktop (RDP) session to the Staffplan Citrix server.”

“During the initial logon session, the attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data.”

Describing Advanced’s response, the report adds: “Upon first detecting suspicious activity, our security team promptly disconnected the entire Health and Care environment to contain the threat and limit encryption to a small number of systems.

“However, by taking this action, our customers lost access to Health and Care platforms, as well as a limited number of non-health and care environments and services, such as eFinancials.”

The report goes on to describe recovery efforts: “Although we were equipped and able to completely rebuild certain health and care products by the Monday following the incident, we were required to satisfy an assurance process set forth by our partners at the NCSC [National Cyber Security Centre], NHS, and NHS Digital.”

The report says that meeting the requirements of the assurance process is proving time consuming and is ongoing.

“As we learned more about this assurance process and adjusted in real time to meet certain requirements, it took longer than expected, which has impacted our overall recovery timeline. We have prioritized safety and security during every step of our recovery process,” it says.

The assurance process remains ongoing for systems and environments beyond Adastra and 111, including the CareNotes EPR system, which is currently unavailable at 12 NHS mental health trusts.

The report concludes: “This is time consuming and resource intensive and it continues to contribute to our recovery timeline.

“As we work through scanning and clearing systems, we are in parallel continuing to assess and/or develop recovery plans for remaining impacted products.”

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Why the NHS needs to use digital to redesign care around patients

Why the NHS needs to use digital to redesign care around patients

Andrew Hine, MD of CereCore International, a healthcare IT application support and EPR consulting firm, speaks to Digital Health’s Jon Hoeksma about trends in the…
Crisis communications: how to cope when the NHS is held to ransom

Crisis communications: how to cope when the NHS is held to ransom

Building a reputation in health tech can take decades, yet it can be undone by a single crisis, writes Silver Buck’s Sarah Bruce
Three things we must do now to prevent patient harm from digital tech

Three things we must do now to prevent patient harm from digital tech

In the wake of reports linking IT flaws to deaths of patients, and the recent cyber attack on pathology in south east London, Chris Fleming…

11 Comments

  • More like an excuse for the NHS to ask for more funding, when they’ve already been getting plenty of funding for years. I don’t feel sorry at all for care workers. A lot of the british public [including me], are regretting clapping for carers. Was a waste of time. Don’t believe the NHS or social care when they say they need more funding. What when the time comes when the government don’t have enough money to keep funding social care anymore? The only true official care charity is called ‘Autism Matters,, and the other one is ‘CarersUK’. I’m absolutely done, mentally exhausted, from hearing about care and the NHS.

    • You nasty little troll. Autism Matters is one of my favourite charities – please don’t sully their name through association with your ignorant and bigoted remarks.
      This was a massive failure by a private sector company who have let down thousands of patients, including many service users who are on the spectrum.

  • Embarrassing for all of us working in this industry

    • It was the system supplier /host that was hacked. Not the Nhs. Just another example of the private sector doing things more efficiently (eye roll). Next time you need the Nhs be sure to let the staff know you’d like your claps back. I’m sure they will happily give you a quick round of applause rather than treat you.

  • Advanced are pushing the delay hard onto NHS Digital (whom have responsibility got cyber security) and NHS England (‘Gold Command’ on this incident) – however Advanced should have been aware of these assurance requirements and have included them in business continuity planning. Have suppliers really learned nothing from Wannacrypt, the HSE IE event, the Copeland incident in 2017? Each of those incidents involved catastrophic destruction of environments. It is staggering that an ‘Advanced’ organisation – one that provides Managed Security Services no less! – has not run complete DR and business continuity tests with its customers and other key stakeholders.

    Advanced host a number near-critical national infrastructure in NHS111, and mission critical applications for NHS and Social Care. I’m staggered that 6 years on from the Copeland incident, customers are left without applications because a key supplier was woefully unprepared for a cyber incident of this nature.

    • CareNotes was originally developed by a small enterprise down a country lane in NW England. Like so many other SMEs they were swallowed up by a bigger fish.
      Was “sweating the assets” an issue here?
      It would be interesting to know how far down the Cyber Essentials path Advanced have travelled and how Trusts managed to procure a product which, by Advanced’s own admission via their press statements, appears to have been non-compliant with basic IT security protocols.

  • Rumours in the market suggest that Advanced paid the ransom – is this true and if so how much was it?

  • Wow, a lot to unpack here.

    First of all, I feel so sorry for all of the care workers and patients impacted by this. It is now 10 weeks since Advanced noticed the intruders in their system (it sounds like they noticed when the intruders fired off ransomware). The intruders are stated to have been inside Advanced’s infrastructure for at least two days – time enough to extract confidential patient data and download it and move laterally inside the network. Let’s think about that for a second – they connected to Staffplan, a system made available over the public internet – and made their way into what should have been an entirely segregated set of systems connected to HSCN. Wow.

    Now let’s think about the return to service of some of these products. Carenotes has required to be rebuilt entirely. A new configuration. Where are the backups? Retrospective clinical records are being imported into the new configuration. Shocking.

    Adastra, a clinical system which is often sold with very high availability (99.99% or greater) is still only available to 9 out of every 10 customers.
    Staffplan, which is the core to many domiciliary care providers’ services and their ability to help their service users and demonstrate compliance to payers will have a limited Minimum Viable Product only tomorrow.

    It is hard to think how the management of this outage could have been poorer.

    A service interruption of to these products would have been poor if it had been measured in single digit days. The fall-out and interrupted service delivery will certainly stretch over 100 days and Advanced deserves to lose their entire health and care customer base. And customers of other products in their broad portfolio should take notice too! These systems were once an exemplar for customer service and functionality and now will just be a textbook example of how under-investment and lack of general care will eventually catch up with you.

  • The line taken by Advanced here seems to imply the large majority of delay is down to the assurance by NCSC / NHS Digital, and not to the activities involved in Advanced recovering and restoring their customers’ systems.

    It seems fairly unbelievable that NCSC / NHS Digital would be insisting on a level of assurance that would introduce this scale of delay unnecessarily (given the impact on care delivery), therefore the assumption surely has to be that Advanced is struggling to demonstrate to those organisations that their systems are secure enough to avoid something like this happening again?

    • Given the pressure from the EPRR team to get operating again it seems unlikely that they would have allowed assurance to cause such a delay. Smells a bit fishy.

      • It’s not really happening. It’s an excuse for NHS and the care sector to ask for even more funding. They would bleed a well dry if they could.

Comments are closed.