A cyber incident at University College London Hospitals NHS Foundation Trust (UCLH) involved a software product used to manage mobile phones and tablets being briefly compromised. Although the product did not contain patient data or staff passwords, it did contain some staff mobile and IMEI numbers. The vulnerability in the software allowed hackers to access, explore, and run programs on the target's systems using an IP address based in China. While the software vulnerability has been fixed, there is a risk that hackers could access other data like patient records and further parts of the network via remote code execution.
TPRM report: https://scoringcyber.rankiteo.com/company/uclh-nhs-foundation-trust
"id": "ucl1008052925",
"linkid": "uclh-nhs-foundation-trust",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'London, UK',
'name': 'University College London Hospitals NHS '
'Foundation Trust (UCLH)',
'type': 'Hospital'},
{'industry': 'Healthcare',
'location': 'Southampton, UK',
'name': 'University Hospital Southampton NHS '
'Foundation Trust',
'type': 'Hospital'}],
'attack_vector': 'Exploiting vulnerabilities in Ivanti Endpoint Manager '
'Mobile (EPMM) software',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'Medium',
'type_of_data_compromised': ['staff mobile numbers',
'IMEI numbers']},
'date_detected': 'May 2025',
'date_publicly_disclosed': '22 May 2025',
'description': 'NHS England is investigating a cyber incident at University '
'College London Hospitals NHS Foundation Trust (UCLH) and '
'University Hospital Southampton NHS Foundation Trust. A '
'software product used to manage mobile phones and tablets was '
'compromised, allowing hackers to access and run programs on '
"the target's systems.",
'impact': {'data_compromised': ['staff mobile numbers', 'IMEI numbers'],
'systems_affected': ['mobile phones and tablets management '
'software']},
'initial_access_broker': {'entry_point': 'Vulnerabilities in Ivanti EPMM '
'software'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Released updates for Ivanti '
'EPMM',
'root_causes': 'Vulnerabilities in Ivanti EPMM '
'software'},
'recommendations': ['Follow vendor best practice to mitigate vulnerabilities',
'Manage potential security issues effectively'],
'references': [{'source': 'Digital Health News'},
{'source': 'Sky News'},
{'source': "Ivanti's website"}],
'response': {'communication_strategy': ['Contacting affected staff',
'Reassuring patients and staff'],
'containment_measures': ['Made software secure swiftly'],
'enhanced_monitoring': ['24/7 cyber monitoring and incident '
'response'],
'incident_response_plan_activated': True,
'remediation_measures': ['Released updates for Ivanti EPMM'],
'third_party_assistance': ["NHS England's cyber security "
'response team',
'National Cyber Security Centre']},
'title': 'Cyber Attack on NHS Trusts via Mobile Phone Software',
'type': 'Cyber Attack',
'vulnerability_exploited': 'Medium and high severity vulnerabilities in '
'Ivanti EPMM software'}