NHS trusts had information stolen in the latest cyberattack on the UK health service, experts have told Sky News, with concerns raised that patient data might be vulnerable in such incidents.
University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust have been named as those exposed via a recently discovered exploit.
NHS England told Sky News it is monitoring the situation – with the UK’s top cybersecurity defence team at the National Cybersecurity Centre (NCSC).
Cody Barrow is the chief executive of EclecticIQ and previously worked at the Pentagon, US Cyber Command and the NSA. The firm analyses cyberattacks and uncovered the extent of this incident.
He told Sky News such attacks raise the “potential for unauthorised access to highly sensitive patient records”.
Analysts at EclecticIQ have identified victims of the hack spanning agencies and businesses across Scandinavia, the UK, US, Germany, Ireland, South Korea and Japan.
Sky News has been shown evidence of the trusts in the UK being accessed maliciously.
Rather than a ransomware attack, data was taken clandestinely after hackers exploited holes in software.
In this case, the vulnerability was in a piece of software called Ivanti Endpoint Manager Mobile (EPMM) – a programme that helps businesses manage employee phones.
The hole in Ivanti’s software was first discovered on 15 May, and it has since been fixed – although there are warnings that systems previously exploited could still be vulnerable.
The vulnerability in Ivanti’s software allowed hackers to access, explore and run programmes on their target’s systems.
According to the experts at EclecticIQ, the kind of data accessed included staff phone numbers, IMEI numbers, and then technical data like authentication tokens.
Such attacks can leave hackers able to access other data like patient records and further parts of the network via a process called remote code execution (RCE) – running programmes on compromised systems.
The analysts said they have identified the hackers exploiting the Ivanti backdoor as having used an IP address based in China.
Alongside this, the way the hackers operate is similar to how previous China-based actors behaved.
Such attacks can occur when hackers use an automated scan of the internet to find examples of vulnerable software, rather than being targeted.
Read more from Sky News:
‘China-based’ hack targets UK firms
M&S warns of hacking crisis
Mr Barrow told Sky News: “This situation represents another urgent wake-up call for the NHS. With threat actors actively exploiting these vulnerabilities, we’re not looking at a distant or theoretical risk. The targeting is happening now, and the consequences could be felt across the healthcare system.
“The potential compromise scope goes well beyond data theft. We’re looking at the potential for unauthorised access to highly sensitive patient records, the disruption of crucial appointment systems, and even interference with critical medical devices that are vital for daily patient care.”
“This strikes at the heart of patient safety and care delivery,” Mr Barrow added. “The impact wouldn’t be isolated, it could cause cascading effects cancelled surgeries, delays in urgent treatments, and medical devices failing when needed most. We’ve seen this before.
“Past cyberattacks have shown the chaos that ensues, directly threatening patient outcomes, putting lives at risk and forcing frontline staff to work under extreme pressure.
“Beyond immediate operational chaos, these vulnerabilities also profoundly erode public trust in the NHS’s capacity to safeguard both their data and their health.
“The immediate directive for NHS trusts to engage their cybersecurity teams underscores the severity. The response to this kind of cyber threat needs to be treated with the same urgency as a medical emergency.”
👉 Listen to Sky News Daily on your podcast app 👈
A spokesperson for NHS England told Sky News: “We are currently investigating this potential incident with cybersecurity partners, including the National Cyber Security Centre, and the trusts mentioned.
“NHS England provides 24/7 cyber monitoring and incident response across the NHS, and we have a high severity alert system that enables trusts to prioritise the most critical vulnerabilities and remediate them as soon as possible.”
A NCSC spokesperson said: “We are working to fully understand UK impact following reports that critical vulnerabilities in Ivanti Endpoint Manager Mobile are being actively exploited.
“The NCSC strongly encourages organisations to follow vendor best practice to mitigate vulnerabilities and potential malicious activity.
“Vulnerabilities are a common aspect of cyber security, and all organisations must consider how to most effectively manage potential security issues.”
A spokesperson for Ivanti said they had released a fix for the vulnerability in their software.
“We remain committed to collaboration and transparency with our stakeholders and the broader security ecosystem,” it added.
“At the time of disclosure, we are aware of a very limited number of on-premise EPMM customers whose solution has been exploited.”
