Data from hospital cyber attack ‘could be released before NHS can investigate’, Alder Hey warns

Three more North West hospitals targeted by cyber attacks

  • ITV Granada Reports correspondent Ann O'Connor takes a look at the impact for patients and speaks to Dr Max Hashem Eiza a Cyber Security expert from Liverpool John Moores University

Hackers could release data from a cyber attack on hospitals before the NHS can investigate, a trust has warned.

Alder Hey Children’s NHS Foundation Trust said criminals gained unlawful access to data through a digital gateway service it shares with Liverpool Heart and Chest Hospital on Thursday 28 November.

The trust, which runs a hospital in the same name in Liverpool and other community care facilities, said it has launched an investigation “to determine the full facts around what data has been obtained unlawfully”.

But in a statement on Wednesday, 4 December, it said the probe may take “some time” and there is a possibility the cyber attackers may publish the data before its investigation is complete.

It is not yet known how many people have been affected by the data breach but the trust said the hackers also accessed a small amount of data from Royal Liverpool University Hospital.

Royal Liverpool University Hospital. Credit: Liverpool Echo

The trust said the criminals have claimed to have extracted data from affected systems and screenshots allegedly containing data retrieved in the attack were published online last week.

“We are continuing to take this issue very seriously while investigations continue into whether the attacker has obtained confidential data,” they said in a statement.

“As part of our response to this threat we have made progress in securing impacted systems and ensuring the attackers do not have continued access.

“This means that we are in a position to begin to reconnect our systems when it is safe to do so.

“Hospital services remain unaffected and continue to run normally. Patients are advised to continue to attend appointments.”

Arrowe Park was targeted on 25 November by hackers. Credit: ITV News

It comes just days after another Merseyside hospital was targeted in a cyber attack.

Wirral’s Arrowe Park declared a major incident on 25 November, where patients faced cancelled appointments and long A&E waits.

Now, more than a week after the attack, the trust has stood down the major incident.

A Wirral University Teaching Hospital spokesperson said: “A major incident was declared at our Trust last week due to a cyber security issue.

"Following the Trust’s speedy response, the incident has been fully stood down and our systems are back up and running.

“We would like to thank the public for their support and patience while our teams worked hard to resolve the issue.”

Hospital hopes to fully restore computers in 'next 24 hours' after cyber attack

Alder Hey Children’s NHS Foundation Trust said the incidents were not linked and it is following guidance from the Information Commissioner’s Office (ICO) and ensuring “that anyone impacted by this data breach is contacted directly and supported”.

An ICO spokesperson said: “People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.

“Anyone who has concerns about how their information has been handled, should raise it with the organisation first, then report them to us if they are not satisfied with the response.”