University College London Hospitals (UCLH) NHS Foundation Trust suffered a cyber attack exploiting a vulnerability in **Ivanti Endpoint Manager Mobile (EPMM)**, a third-party tool used to manage employee mobile devices. The breach, originating from a China-based IP address, exposed staff data, including **mobile numbers and IMEI identifiers** (unique device codes). While UCLH confirmed no evidence of **patient data or password compromise**, the incident underscored critical gaps in **supply chain security** within the NHS. The flaw, discovered on **May 15th** and later patched by Ivanti, was part of a broader campaign targeting organizations globally, including agencies in **Scandinavia, the US, Germany, and South Korea**. The attack did not disrupt operations but raised concerns over **vendor risk management** and the NHS’s reliance on third-party software. Cybersecurity experts, including those from **NHS England and EclecticIQ**, assisted in investigations, while analysts warned of persistent threats to healthcare infrastructure. This incident follows a pattern of NHS cyber attacks, such as the **June 2024 Synnovis ransomware attack** (disrupting London hospital procedures) and the **November 2023 Wirral University Teaching Hospital breach**. The NHS has since introduced a **cybersecurity charter** to enforce stricter vendor controls, including **mandatory patching, MFA, immutable backups, and 24/7 threat monitoring** to mitigate future risks.
TPRM report: https://www.rankiteo.com/company/uclh-nhs-foundation-trust
"id": "ucl2243422100325",
"linkid": "uclh-nhs-foundation-trust",
"type": "Cyber Attack",
"date": "11/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Staff (no patient data exposed)',
'industry': 'Healthcare',
'location': 'London, UK',
'name': 'University College London Hospitals (UCLH) '
'NHS Foundation Trust',
'type': 'Healthcare Provider'},
{'customers_affected': 'Staff (no patient data exposed)',
'industry': 'Healthcare',
'location': 'Southampton, UK',
'name': 'University Hospital Southampton NHS '
'Foundation Trust',
'type': 'Healthcare Provider'},
{'industry': 'Technology',
'name': 'Ivanti (Vendor)',
'type': 'Software Provider'}],
'attack_vector': 'Exploitation of vulnerability in third-party software '
'(Ivanti EPMM)',
'customer_advisories': ['UCLH confirmed no patient data was accessed; only '
'staff mobile device data (e.g., IMEI numbers) was '
'exposed.'],
'data_breach': {'personally_identifiable_information': 'No (only device '
'identifiers)',
'sensitivity_of_data': 'Low (no passwords or PII beyond '
'device identifiers)',
'type_of_data_compromised': ['Mobile device identifiers (IMEI '
'numbers, mobile numbers)']},
'date_detected': '2024-05-15',
'description': 'University College London Hospitals (UCLH) NHS Foundation '
'Trust and University Hospital Southampton NHS Foundation '
'Trust were targeted in a cyber attack exploiting a flaw in '
'Ivanti Endpoint Manager Mobile (EPMM), a tool used to manage '
'employee mobile devices. The flaw, discovered on May 15th and '
'since patched by Ivanti, exposed staff mobile device data '
'(e.g., mobile numbers, IMEI numbers) but no evidence of '
'patient data access was found. The attacks originated from a '
'China-based IP address, with no definitive attribution. The '
'incident underscores risks in NHS supply chain security and '
'vendor risk management.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'repeated cyber incidents in NHS',
'data_compromised': ['Staff mobile device data (mobile numbers, '
'IMEI numbers)'],
'identity_theft_risk': 'Low (no passwords or PII exposed beyond '
'device identifiers)',
'systems_affected': ['Ivanti Endpoint Manager Mobile (EPMM)']},
'initial_access_broker': {'entry_point': 'Exploited vulnerability in Ivanti '
'EPMM',
'high_value_targets': ['Staff mobile device data']},
'investigation_status': 'Ongoing (UCLH investigating with NHS England '
'cybersecurity experts)',
'lessons_learned': 'The incident highlights the critical need for robust '
'vendor risk management, continuous vulnerability patching '
'across the digital supply chain, and swift incident '
'response coordination with suppliers in healthcare '
"sectors. NHS's new cybersecurity charter aims to address "
'these gaps by enforcing principles like MFA, immutable '
'backups, and 24/7 threat monitoring for suppliers.',
'post_incident_analysis': {'corrective_actions': ['Ivanti released a patch '
'for the EPMM '
'vulnerability.',
'NHS launched a '
'cybersecurity charter to '
'enforce stricter vendor '
'security requirements '
'(e.g., MFA, immutable '
'backups, 24/7 monitoring).',
'Ongoing investigations to '
'assess full impact and '
'improve incident response '
'coordination.'],
'root_causes': ['Exploitation of unpatched '
'vulnerability in third-party '
'software (Ivanti EPMM).',
'Inadequate vendor risk management '
'and supply chain security '
'practices in NHS.']},
'recommendations': ['Strengthen third-party vendor security assessments and '
'contractual obligations.',
'Implement continuous vulnerability scanning and patch '
'management for all third-party software.',
'Enhance incident response coordination between NHS '
'trusts and vendors.',
"Adopt the NHS cybersecurity charter's principles (e.g., "
'MFA, immutable backups, 24/7 monitoring).',
'Improve supply chain transparency to identify and '
'mitigate risks from third-party dependencies.'],
'references': [{'source': 'ITPro'},
{'source': 'Sky News'},
{'source': 'UCLH Public Statement'},
{'source': 'EclecticIQ (Security Firm)'}],
'response': {'communication_strategy': ['Public statement by UCLH confirming '
'staff data exposure but no patient '
'data access'],
'incident_response_plan_activated': True,
'remediation_measures': ['Ivanti released patch for the EPMM '
'flaw'],
'third_party_assistance': ['NHS England cybersecurity experts']},
'title': 'Cyber Attacks on Two NHS Trusts Expose Staff Data via Ivanti EPMM '
'Vulnerability',
'type': ['Data Breach', 'Supply Chain Attack'],
'vulnerability_exploited': 'Flaw in Ivanti Endpoint Manager Mobile (EPMM)'}