Another ransomware attack has targeted the UK"s National Health Service (NHS), this time hitting Alder Hey Children"s Hospital in Liverpool, one of Europe’s largest pediatric hospitals.
In a post to its data leak site, the group behind the attack, INC Ransom, claims to have stolen sensitive data from both Alder Hey and the Liverpool Heart and Chest Hospital NHS Foundation Trust. This data allegedly includes names, addresses, financial records, and medical reports from patients and donors from 2018 to 2024.
INC Ransom runs its operation thanks to a vulnerability called CitrixBleed (CVE-2023-4966), which affects Citrix products like the NetScaler ADC and Gateway appliances. These tools help businesses and public services manage app delivery and secure remote access. Using this exploit allows attackers to bypass multi-factor authentication (MFA) and take control of active user sessions.
In response to the attack, Alder Hey said that their operations are still running as normal, with no disruptions to appointments or procedures. Their full statement reads:
We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust. We are working with partners to verify the data that has been published and to understand the potential impact.
We are taking this issue very seriously and are working with the National Crime Agency as well as partner organizations to secure our systems and to take further steps in line with law enforcement advice as well as our statutory duties relating to patient data.
This incident is not linked to the ongoing incident at Wirral University Teaching Hospitals.
Our services are operating as normal, and patients should attend appointments as usual.
Ransomware attacks targeting public infrastructure are not new, especially in the NHS. INC Ransom is notorious for these activities, having previously attacked NHS Dumfries and Galloway earlier this year. In that case, the group leaked data after demands were refused, affecting around 150,000 people.
Globally, ransomware incidents continue to evolve. Windows-based systems have historically been common targets, with attacks like WannaCry wreaking havoc in 2017, disrupting NHS services nationwide. Linux servers are increasingly at risk as attackers recognize their role in enterprise operations, exploiting vulnerabilities to gain footholds in large networks. Meanwhile, macOS isn’t exempt, with ransomware like LockBit demonstrating that even Apple’s ecosystem isn’t immune.
Source: The Register