Cyber Incident Victim: Barts Health NHS Trust

On 30 June 2023, Barts Health NHS Trust detected a cyberattack and immediately initiated its response protocols. The organization took immediate steps to contain the breach and mitigate its potential effects upon discovery. This initial containment was a critical first action to prevent any further unauthorized access or damage to its network and data systems. As part of its standard incident response procedure, the Trust engaged with specialist IT forensic experts to conduct a detailed investigation into the nature and scope of the attack. The primary goal of this forensic analysis was to determine the exact methods used by the attackers, the point of entry into the system, and the full extent of any data that may have been accessed or exfiltrated.

Concurrently with launching its internal investigation, Barts Health NHS Trust formally notified several key national authorities about the security incident. The organization reported the breach to the NHS England cyber security operations centre, ensuring the wider National Health Service infrastructure was aware and could take any necessary protective measures. Furthermore, the National Crime Agency and the Metropolitan Police cyber crime unit were notified, leading to the opening of a formal criminal investigation. The Trust also informed the National Cyber Security Centre (NCSC), the UK's authority for cyber security, and the Information Commissioner’s Office (ICO), the independent body responsible for upholding information rights. This multi-agency involvement underscored the serious nature of the incident and the coordinated response required.

The criminal investigation, led by the Metropolitan Police cyber crime unit, significantly impacted the amount of information the Trust could publicly disclose regarding the incident. The need to preserve the integrity of the police investigation meant that Barts Health had to balance transparency with its stakeholders against the risk of compromising law enforcement efforts. Despite this constraint, the Trust acknowledged the concern that the incident would understandably generate among its staff, patients, and partner organizations. The group responsible for the attack publicly claimed to have successfully accessed a large amount of data from the Trust's systems. However, Barts Health explicitly stated that these claims had not been verified at the time of their public update. The process of assessing the level of risk posed by the attack was described as a lengthy and complex undertaking, requiring meticulous analysis by digital forensics professionals.

As the investigation progressed, Barts Health was able to confirm one specific and tangible consequence of the attack. The Trust verified that some personal information pertaining to four individuals had been posted by the attackers on a part of the internet not accessible through conventional search engines, commonly referred to as the dark web. This confirmation provided evidence that at least a limited amount of data had been exfiltrated and was being misused by the threat actors. Upon identifying these four individuals, Barts Health NHS Trust directly contacted each of them to inform them that their personal information had been exposed. The organization offered these individuals support to help them deal with the potential ramifications of this data exposure, a standard step in data breach response protocols aimed at mitigating harm to affected people.

A significant finding from the initial investigation stages, as communicated by the Trust, was that there was no evidence that any patient data had been accessed during the cyberattack. This statement was a crucial piece of information intended to provide reassurance to the vast number of patients under the Trust's care. Barts Health serves a large population in London, and a confirmed breach of patient records would have constituted a major incident with serious implications for patient confidentiality and trust. The absence of evidence for patient data access was a positive development, though the investigation into the full extent of the breach remained ongoing.

In its communications, Barts Health contextualized the incident within the broader threat landscape facing large organizations, particularly those in the healthcare sector. The Trust noted that it was not alone in being a victim of such cyber attacks, highlighting that healthcare providers globally are frequent targets for cybercriminals. This statement served to acknowledge the pervasive nature of the cyber threat without diminishing the seriousness with which the Trust was treating its own incident. The organization used the opportunity to reiterate standard cybersecurity guidance, urging vigilance against phishing emails, which are a common vector for initiating attacks. Staff and patients were advised to be cautious and to avoid opening any attachments that could not be verified.

The overall response from Barts Health NHS Trust demonstrated a methodical approach focused on containment, investigation, and regulated communication. The engagement of external IT forensic specialists indicated a recognition of the need for highly specialized skills to handle such a complex incident. The proactive notification of regulatory and law enforcement bodies showed compliance with legal and operational obligations. The direct support offered to the four individuals whose data was confirmed to be exposed reflected an adherence to principles of data protection and victim care. Throughout the process, the organization emphasized that it was taking the incident extremely seriously and acknowledged the patience required from its stakeholders as the lengthy investigative work continued to establish the full facts of the cyberattack.