Cyber Incident Victim: National Health Services Lincolnshire and Goole
Date:
Oct 2016
Location:
United Kingdom
Summary
A computer virus infection at a UK hospital trust led to the cancellation of all planned operations and outpatient appointments, along with the diversion of major trauma cases and high-risk maternity patients to neighboring facilities. The organization shut down most electronic systems to isolate and eliminate the malware, maintaining only essential inpatient care while disrupting diagnostic procedures and non-emergency services. The incident coincided with national cybersecurity strategy announcements highlighting threats to critical infrastructure, with contextual references to ransomware's growing targeting of healthcare institutions dependent on immediate data access. Healthcare operations faced significant interruptions requiring system isolation measures to contain the infection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 30, 2016, the National Health Service’s Lincolnshire and Goole trust experienced a significant disruption when an unspecified computer virus infected its electronic systems. The trust declared a "major incident" and implemented emergency measures, including canceling all planned operations, outpatient appointments, and diagnostic procedures scheduled for November 2, with only minor exceptions. Major trauma cases were diverted to neighboring hospitals, and high-risk women in labor were redirected to other facilities. Inpatient care continued, with discharges proceeding once patients were medically cleared. NHS officials stated they followed expert advice to shut down the majority of their systems to isolate and destroy the malware. The infection caused widespread operational paralysis, though the trust did not disclose technical details about the virus’s origin, propagation method, or specific systems affected. Service disruptions occurred for at least three days, with the trust’s public advisory confirming ongoing containment efforts but providing no timeline for full system restoration.
The incident coincided with the UK government’s announcement of a national cybersecurity strategy, which pledged increased funding and specialized police units to combat cybercrime. While NHS Lincolnshire did not confirm the malware variant, contextual reporting highlighted ransomware as a probable culprit due to its increasing targeting of healthcare organizations globally. Industry reports indicated healthcare entities faced over 20 daily ransomware-related data loss incidents in 2016, with confirmed ransom payments nearing $100,000 that year. The attack underscored healthcare infrastructure’s vulnerability to disruptions that directly impact clinical operations, including emergency care coordination. No patient injuries or fatalities were explicitly linked to the incident in available reporting. NHS Lincolnshire’s response focused on containment via system isolation, service prioritization for critical cases, and external patient diversions, though no data recovery methods or forensic findings were disclosed publicly. Concurrent national policy discussions emphasized threats to critical infrastructure, including hospitals, airports, and power grids, amid growing concerns about foreign cyber threats.