Over one million NHS patient records have been accessed by the cybercriminals who attacked the University of Manchester, it has been reported. The data had been gathered by the university for research purposes.
Among the leaked details are NHS numbers and the first three letters of patients’ postcodes.
NHS records leaked during University of Manchester cyberattack
The university announced it had been subject to a cyberattack on 9 June, and that data of past and present students and alumni had been accessed by cybercriminals. It explained that it was conducting an investigation and was in contact with the UK’s National Cybersecurity Centre (NCSC).
Now The Independent has reported the data accessed included 1.1 million NHS records that had been gathered for the purposes of medical research from more than 200 hospitals. The data includes reports of major-trauma patients across the country and treatment for victims of terrorist attacks.
The university has admitted to NHS officials that it does not know how many patients were affected or whether names had also been hacked, according to a memo seen by The Independent.
As a result of the incident, NHS chiefs were warned by Manchester University that there is “potential for NHS data to be made available in the public domain.” The data set has since been closed, but an investigation undertaken by the university has found that back-up servers were accessed.
Manchester University has updated the list of data seen by cybercriminals, which now includes universities and colleges admissions service (UCAS) numbers and fee status, UCAS disability codes, as well as personally identifiable information such as university IDs and dates of birth.
The university’s priority is to resolve this issue, it said in a statement alongside the updated information. “Our in-house experts and external support are working around the clock to resolve this incident and respond to its impacts,” it said. “We are continuing our investigations”
Tech Monitor has approached the University of Manchester and the NHS for comment but has not received any response at the time of writing.
Triple extortion threats to students
The perpetrators of the attack have not yet come forward, and it is not known what level of ransom has been demanded.
But the exposed data has since reportedly been used to contact students in an effort to get them to apply pressure to the university to pay up. In their email to affected students, the criminals claim they have research data, medical data, police reports, drug tests results, databases, HR documents, finance documents and more.
“The administration is fully aware of the situation and had been in discussion with us for over a week,” the hackers said. “They value money above the privacy and security of their students and employees. They do not care about you or that ALL your personal information and research work will be sold or made public.”
This information will be used against the students if the university does not pay up, the anonymous cybercriminals explained in a separate email. “Ever cheat on exams? Accused of misconduct? Have health incident? We have proof, and soon everyone will have this proof too,” they wrote. “Think about your future and your career. This data can destroy your life.”
The tactic of contacting individual victims of an attack is known as triple extortion, and has been seen in use as part of the ongoing MOVEit Transfer supply chain attack. Staff at the BBC have reportedly been contacted directly by hackers in an effort to persuade the broadcaster to pay the ransom.