Microgen - stock.adobe.com

Advanced: Healthcare data was stolen in LockBit 3.0 attack

Advanced has revealed a total of 16 of its health and social care sector customers had their data exfiltrated in a recent ransomware attack

Business management software supplier Advanced has revealed that a total of 16 customers in the health and social care sector had their data compromised in a ransomware attack on its systems that took place in August 2022, and has now been found to be the work of the Lockbit 3.0 cyber crime gang.

The unnamed organisations involved were all users of Advanced’s Caresys and Staffplan services. Caresys is a care home management software package that supports both frontline care and back-office functions for residential care home operators, while Staffplan is a care rostering software package that supports mobile domiciliary care providers. All the affected customers have been notified and are receiving support.

The attack itself began on 2 August and was identified on 4 August, at which point Advanced’s security team disconnected its entire Health and Care environment to contain the threat and limit its impact. The result of this was that multiple other services went offline, including those used by frontline NHS organisations.

The biggest impact seen was to users of Advanced’s Adastra clinical patient management software, which underpins the majority of the NHS’s 111 services, but patient services at many other NHS bodies and healthcare providers were disrupted, with many taking weeks to get back on their feet.

Advanced said that the Lockbit 3.0 crew accessed its network using a legitimate set of third-party credentials to establish a remote desktop protocol (RDP) session on a Staffplan Citrix server. From there they were able to move laterally through the organisation’s Health and Care environment to escalate their privileges and deploy the ransomware. Immediately prior to executing the ransomware and encrypting Advanced’s systems, the gang exfiltrated a “limited” amount of data. It did not reveal if any of this data related to any patients.

“We were able to recover the limited amount of data obtained from our systems and we believe the likelihood of harm to individuals is low,” the company said in a new statement.

“This is based on our expert threat intelligence vendor’s considerable experience with cases of this nature and the fact that there is no evidence to suggest that the data in question exists elsewhere outside our control. We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position changes.”

Read more about LockBit ransomware

  • LockBit cyber criminals are back in action with new ransomware attacks and publicity pushes. But many other new groups saw lower levels in activity in Q3, according to Cyberint.
  • Ransomware attacks were up 47% in July compared with the previous month, according to the latest threat data from NCC Group, with the LockBit family largely to blame.
  • A bug bounty programme is among a number of features LockBit’s developers have added to ‘version 3.0’ of the ransomware.

The firm added: “We have been and continue to be in contact with the ICO, the NHS, the National Cybersecurity Centre (NCSC), and the National Crime Agency to provide regular status updates on this incident.

“Again, Advanced has now given required notice to all affected data controllers. If you were not contacted, your data was not copied out of the environment.”

Advanced said its teams have been working around the clock to get its systems and customers up and running again, but that the nature of the compliance and assurance checks that were mandated to stand up services used by the NHS has added to that time.

“As we learned more about this assurance process and adjusted in real time to meet certain requirements, it took longer than expected, which has impacted our overall recovery timeline. We have prioritised safety and security during every step of our recovery process,” the company said.

“Our Health and Care and environments beyond Adastra and 111 will also require additional compliance checks, scanning, and going through the same assurance processes. This is time consuming and resource intensive and it continues to contribute to our recovery timeline. As we work through scanning and clearing systems, we are in parallel continuing to assess and/or develop recovery plans for remaining impacted products.

“We are working diligently and bringing all resources to bear, including outside recovery specialists, to help us restore services to our customers as quickly as possible, and in the interim, providing data extracts and assisting with contingency planning as appropriate.”

Advanced has also implemented a number of enhanced cyber security measures, including scanning for identified indicators of compromise, installing real-time monitoring, detection and response agents, resetting all passwords, rebuilding and hardening compromised systems, introducing enhanced network segmentation, and strengthening firewall rules.

Read more on Data breach incident management and recovery

Data Center
Data Management