Ransom gang claims attack on NHS Alder Hey Children's Hospital

Yet another of the UK's National Health Service (NHS) systems appears to be under attack, with a ransomware gang threatening to leak stolen data it says is from one of England's top children's hospitals.

The attack on Liverpool's Alder Hey Children's Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust is apparently unconnected to an ongoing cyber "incident" at the Wirral University Teaching Hospital NHS Trust that is causing severe disruption at hospitals nearby.

The children's hospital also dispelled any possible links to the Wirral incident, ongoing since earlier this week, which was allegedly carried out by rival ransomware crooks over at RansomHub.

INC Ransom, the group that claimed responsibility for an attack on NHS Scotland in June this year, now claims to have stolen data from Liverpool's Alder Hey Children's Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust.

The criminals published a limited sample of the allegedly stolen data, which includes the full names and addresses of supposed patients and donors, the amount of money said donors have given to the hospital, patients' medical reports (including unique hospital numbers and dates of birth), and financial documents.

They claimed the data goes back to 2018 and runs right up to 2024.

In a statement issued on Thursday, Alder Hey said: "We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust. We are working with partners to verify the data that has been published and to understand the potential impact.

"We are taking this issue very seriously and are working with the National Crime Agency (the NCA) as well as partner organizations to secure our systems and to take further steps in line with law enforcement advice as well as our statutory duties relating to patient data."

The Register reached out to Alder Hey and the NCA for additional information about the situation but neither immediately responded.

Just a few miles away and separated only by a narrow stretch of the River Mersey, the two attacks on the geographically linked Alder Hey and Wirral NHS Trusts is something of an anomaly. It's rare, but not unheard of, for NHS organizations to be attacked given the degree of disruption criminals can cause, but for two attacks to occur in the same week within a stone's throw of each other is very much an oddity.

Alder Hey said, unlike its neighbors in Wirral, that its services are operating as normal and no scheduled appointments or procedures were impacted.

• Mega US healthcare payments network restores system 9 months after ransomware attack
• Ransomware's ripple effect felt across ERs as patient care suffers
• LockBit shows no remorse for ransomware attack on children's hospital
• Lurie Children's Hospital back to pen and paper after cyberattack

The hospital is one of the largest and busiest of its kind in Europe, and deals with all manner of cases from minor to the most complex. Alongside London's Great Ormond Street Hospital, it's a pioneer in medical research and is among the most recognizable names in UK healthcare.

INC Ransom is the same band of scumbags that attacked NHS Dumfries and Galloway back in March and in similar fashion to Alder Hey, it plastered a bunch of stolen data online as a means to dial up the pressure and have its extortion demands met.

The Scottish NHS Trust it attacked later confirmed the criminals got their hands on 150,000 people's data after it refused to meet the gang's demands. INC Ransom allegedly stole up to 3TB worth of data from the Trust. ®