Cyber Incident Victim: Moorfields Eye Hospital
Date:
Aug 2021
Location:
United Arab Emirates
Summary
A cyberattack claimed by the AvosLocker group targeted an international eye hospital's Dubai servers, with threat actors alleging exfiltration of over 60 GB of data and demanding payment to prevent leaks. The hospital confirmed a security incident involving unauthorized access to some patient identification information but stated no compromise of health records, notifying affected individuals while engaging cybersecurity specialists to bolster network defenses. Attackers published samples of breached data, including spreadsheets containing patient names and phone numbers from past appointments and billing records, threatening further disclosures if ransom demands were unmet.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 16, 2021, Moorfields Eye Hospital Dubai experienced a cyberattack claimed by the ransomware group AvosLocker. The threat actors asserted they had exfiltrated over 60 GB of data from "Moorfields NHS UK & Dubai," though subsequent investigations revealed no compromise of UK-based systems. AvosLocker published a sample of the stolen data on their leak site, including spreadsheets from 2018 and 2019 containing patient appointment records, billing information, and personally identifiable information such as names and phone numbers. The group issued a ransom demand and threatened to release the full dataset within two weeks if their demands were not met. A screenshot posted by the attackers corroborated access to files specific to the Dubai hospital’s servers. Initial evidence suggested the breach targeted administrative and operational data rather than clinical health records.
Moorfields Eye Hospital initiated an urgent investigation upon detecting the incident, engaging a leading cybersecurity specialist agency to assess the scope and impact. The hospital confirmed that attackers accessed servers containing patient identification information from its Dubai location but found no evidence that medical records or UK systems were affected. Proactive measures were implemented to strengthen network and website security following the breach. Moorfields Dubai notified all potentially impacted patients about the unauthorized access to their personal data, emphasizing its commitment to patient privacy. The hospital’s public statement clarified that the incident remained confined to its Dubai operations, with no operational disruption to clinical services reported. AvosLocker did not respond to external inquiries regarding their claims by the time of initial reporting.