NHS trusts' data 'stolen' in cyberattack which 'could leak sensitive patient records'

28 May 2025, 12:50

Two NHS Trusts have had data stolen in the latest cyberattack on the health service, with concerns of patient data being leaked.

Former US government adviser and chief executive of EclecticIQ Cody Barrow said hackers exploited software holes to access some staff phone numbers, but warns it leaves systems vulnerable to patient data being compromised.

NHS England said it's monitoring the situation at University College London and University Hospital Southampton trusts.

He said such attacks raise the "potential for unauthorised access to highly sensitive patient records".

Analysts at EclecticIQ said victims of the hack are likely from agencies and businesses across Scandinavia, the UK, US, Germany, Ireland, South Korea and Japan.

Read More: Google facing £25 billion legal claim over abuse of search advertising market

Read More: Warning issued after outbreak of salmonella leaving five hospitalised and 20 ill

The trusts in the UK were reportedly access maliciously, Sky News claims.

Data was reportedly taken clandestinely after hackers exploited holes in software called Ivanti Endpoint Manager Mobile (EPMM), which manages employee phones.

The software hole was discovered on May 15 and has allegedly been fixed.

The vulnerability in Ivanti's software allowed hackers to access and run programmes on their systems.

The kind of data accessed included staff phone numbers, IMEI numbers, and technical data such as authentication tokens, according to the experts at EclecticIQ.

The attack could leave hackers access to other data like patient records, but this is yet to be confirmed.

Mr Barrow told Sky News: "This situation represents another urgent wake-up call for the NHS. With threat actors actively exploiting these vulnerabilities, we're not looking at a distant or theoretical risk. The targeting is happening now, and the consequences could be felt across the healthcare system.

"The potential compromise scope goes well beyond data theft. We're looking at the potential for unauthorised access to highly sensitive patient records, the disruption of crucial appointment systems, and even interference with critical medical devices that are vital for daily patient care."

"This strikes at the heart of patient safety and care delivery," Mr Barrow added. "The impact wouldn't be isolated, it could cause cascading effects cancelled surgeries, delays in urgent treatments, and medical devices failing when needed most. We've seen this before.

"Past cyberattacks have shown the chaos that ensues, directly threatening patient outcomes, putting lives at risk and forcing frontline staff to work under extreme pressure.

"Beyond immediate operational chaos, these vulnerabilities also profoundly erode public trust in the NHS's capacity to safeguard both their data and their health.

"The immediate directive for NHS trusts to engage their cybersecurity teams underscores the severity. The response to this kind of cyber threat needs to be treated with the same urgency as a medical emergency."

A spokesperson for NHS England told the broadcaster: "We are currently investigating this potential incident with cybersecurity partners, including the National Cyber Security Centre, and the trusts mentioned.

"NHS England provides 24/7 cyber monitoring and incident response across the NHS, and we have a high severity alert system that enables trusts to prioritise the most critical vulnerabilities and remediate them as soon as possible.

"A NCSC spokesperson said: "We are working to fully understand UK impact following reports that critical vulnerabilities in Ivanti Endpoint Manager Mobile are being actively exploited.

"The NCSC strongly encourages organisations to follow vendor best practice to mitigate vulnerabilities and potential malicious activity.

"Vulnerabilities are a common aspect of cyber security, and all organisations must consider how to most effectively manage potential security issues.

"A spokesperson for Ivanti said they had released a fix for the vulnerability in their software.

"We remain committed to collaboration and transparency with our stakeholders and the broader security ecosystem," it added.

"At the time of disclosure, we are aware of a very limited number of on-premise EPMM customers whose solution has been exploited."