NHS email service users ensnared in phishing attack

NHS Digital is contacting users of its NHSmail email system after a small number of mailboxes were compromised in a generic phishing attack and sent malicious emails out to external recipients over the weekend of 30 and 31 May 2020.

The incident, which has been reported to the National Cyber Security Centre (NCSC), affected a total of 113 NHSmail accounts, which is approximately 0.008% of the total number of accounts on the network.

“We are aware that 113 NHSmail mailboxes were compromised and sent malicious emails to external recipients between Saturday 30 May and Monday 1 June 2020,” an NHS Digital spokesperson told Computer Weekly. 

“There is currently no evidence to suggest that patient records have been accessed. We are working closely with the NCSC, which is investigating a widespread phishing campaign against a broad range of organisations across the UK. This has affected a very small proportion of NHS email accounts.

“We are investigating this issue and have taken the precaution of asking all mailboxes that have a similar configuration to the compromised accounts to change their passwords with immediate effect,” they said.

“We have worked with the organisations involved to isolate affected accounts, supported them to make any necessary changes and have advised affected individuals.”

It is understood that this particular attack did not target the NHS per se, and nor is it necessarily related to cyber criminal activity coalescing around the Covid-19 coronavirus pandemic – rather it came about as the result of a global phishing campaign casting a wide net to ensnare as many organisations as possible.

The NCSC, which acknowledged it was assisting NHS Digital in the wake of the incident, had previously warned about this campaign last October. Targets are quite easily compromised because the email will come from a legitimate email account, known to the target, which has been compromised, and its subject lines will often mirror the most recent genuine email exchange between the two, making the phishing email seem more plausible.

The more recent variants being seen towards the end of 2019 also sometimes included the compromised user’s address book entry for the recipient of the email. The email body texts tend to consist of a black ellipsis on a grey highlighted background, with a single hyperlinked sentence underneath. The most commonly received emails tended to say nothing more than “Notification received Open notification”, or a few minor variants on that text.

The health service pointed out thanks to a number of cyber security improvements put in place in the wake of the WannaCry incident, including a new password policy for users, NHSmail accounts had actually seen a 94% decrease in phishing emails in the past 12 months.

The NHSmail service has a strict set of standards governing its security, laid out under section 250 of the Health and Social Care Act of 2012, details of which are available to the public. It establishes acceptable usage policies, includes an encryption service for sensitive data, and contains strict password hygiene guidelines. NHS Digital also conducts proactive account monitoring and receives current threat intelligence through its security operations centre (SOC).

NHS Digital has stepped up monitoring of its other email accounts, numbering well over a million, for any further evidence of suspicious activity and said affected users will be contacted on or by 16 June.