Ransomware hackers target NHS hospitals with new cyberattacks

Ransomware hackers have continued an assault on National Health Service trusts across the United Kingdom by compromising multiple hospitals, exposing sensitive patient data and disrupting emergency services.

Inc Ransom, a prolific Russia-linked ransomware group that claimed responsibility for an attack on NHS Scotland earlier this year, now claims to have breached the Alder Hey Children’s Hospital Trust, one of Europe’s largest children’s hospitals. 

In a post on its dark web leak site, Inc Ransom claims to have stolen patient records, donor reports, and procurement data spanning between 2018 and 2024 from Alder Hey. Samples of the alleged stolen data, seen by TechCrunch, include records containing sensitive health information on patients, along with personally identifiable information, such as dates of birth and addresses.

In a statement published on Wednesday, Alder Hey — which first confirmed the cybersecurity incident on November 28 — said it had determined that hackers compromised a “digital gateway service” used by several hospitals to access its systems. This gave the hackers access to data belonging to the children’s hospital, along with data from Liverpool Heart and Chest Hospital and Royal Liverpool University Hospital, the statement said.

“The attacker has claimed to have extracted data from impacted systems,” Alder Hey said in its statement on Wednesday. “We are continuing to take this issue very seriously while investigations continue into whether the attacker has obtained confidential data.”

Alder Hey says that its hospital services remain unaffected and continue to run normally, but warned that there was a possibility that the attackers “may publish the data before our investigation is concluded.”

Separately, the Wirral University Teaching Hospital — located just miles from Alder Hey — has also been targeted by a ransomware attack, which last week forced the hospital to declare a “major incident” after shutting down its systems.

Wirral’s teaching hospital is responsible for a group of hospitals across north-west England, including Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children’s Hospital.

The disruption caused by the cyberattack, which has not yet been claimed by any major ransomware group, is ongoing. In a statement published on its website Wednesday, the Wirral hospital trust said that while it is in the process of restoring its clinical systems, some services will “continue to be affected.”

“Emergency treatment is being prioritized but there are still likely to be longer than usual waiting times in our Emergency Department and assessment areas,” the trust said. “We urge all members of the public to attend the Emergency Department only for genuine emergencies.”

The NHS has long been an attractive target for ransomware hackers. Earlier this year, the health service declared a “critical” incident after a cyberattack on pathology services provider Synnovis led to a massive data breach and months of disruption, including canceled operations and the diversion of emergency patients. The Qilin ransomware gang, which claimed responsibility for the attack, also leaked 400 gigabytes of sensitive data allegedly stolen from Synnovis, including highly sensitive patient details.

The U.K. government has not commented on the attacks, but last year published a five-pillar strategy that aims to make the NHS more resilient to cyberattacks by 2030. This came just months after a cyberattack on Advanced, an IT service provider, that caused widespread disruption to NHS services across the U.K.

The U.K. government has said it will also introduce the Cyber Security and Resilience Bill to parliament in 2025, which will mandate the reporting of ransomware attacks.