Two prominent NHS trusts, University College London Hospitals NHS Foundation Trust (UCLH) and University Hospital Southampton NHS Foundation Trust, have reportedly had data stolen in a sophisticated cyberattack that exploited vulnerabilities in third-party software.
The breach, described by experts from EclecticIQ as a clandestine data theft rather than a ransomware attack, leveraged a recently discovered exploit in Ivanti Endpoint Manager Mobile (EPMM), a program used by businesses to manage employee mobile devices.
The vulnerability, identified on May 15th and since patched by Ivanti, allowed hackers to access, explore, and run programs on the targeted systems.
Cody Barrow, CEO of EclecticIQ and former Pentagon, US Cyber Command, and NSA operative, told Sky News his firm uncovered the extent of the incident.
He revealed that initial data accessed included staff phone numbers, IMEI numbers, and technical data like authentication tokens.
Crucially, such access could enable “remote code execution” (RCE), allowing hackers to run programs on compromised systems and potentially access further parts of the network, including patient records.
EclecticIQ analysts have identified the attackers exploiting the Ivanti backdoor as having used an IP address based in China, with their operational methods mirroring those of previous China-based threat actors.
While such attacks can occur via automated scans for vulnerable software, the implications for the NHS are profound.
Mr. Barrow said, “This situation represents another urgent wake-up call for the NHS. With threat actors actively exploiting these vulnerabilities, we’re not looking at a distant or theoretical risk. The targeting is happening now, and the consequences could be felt across the healthcare system.”
Barrow also highlighted the erosion of public trust and urged the NHS to treat this cyber threat with the same urgency as a medical emergency.
NHS England has confirmed it is investigating the potential incident in collaboration with cybersecurity partners, including the National Cyber Security Centre (NCSC) and the affected trusts.
The NCSC acknowledged that it is working to fully understand the UK impact of the Ivanti EPMM vulnerabilities being actively exploited, strongly encouraging organizations to follow vendor best practices for mitigation.
Ivanti, the software vendor, confirmed they had released a fix for the vulnerability and stated they were aware of a “very limited number of on-premise EPMM customers whose solution has been exploited.”
