Cyber Incident Victim: National Health Service
Date:
Aug 2017
Location:
United Kingdom
Summary
A healthcare provider in Scotland experienced a ransomware attack involving a new variant of Bitpaymer, leading to system disruptions and the cancellation of some patient appointments. IT teams worked to restore affected systems over a weekend, with most services returning promptly and remaining issues resolved shortly thereafter. The incident likely originated from a phishing email, prompting security updates from the provider's IT partners to mitigate future risks. While contingency plans minimized service interruptions, affected patients were prioritized for rescheduling. The organization confirmed its systems were up-to-date prior to the attack, underscoring the novel nature of the ransomware strain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 25, 2017, NHS Lanarkshire detected malware within its IT systems, later identified as a new variant of Bitpaymer ransomware. The health board, responsible for three hospitals serving over 654,000 residents in North and South Lanarkshire, immediately took affected systems offline to contain the infection. This disruption forced the cancellation of patient appointments and procedures, though the exact number was not specified. NHS Lanarkshire activated contingency plans, with IT staff working throughout the weekend to restore operations. Patients were advised to avoid Accident and Emergency departments unless absolutely necessary. By Monday, the majority of impacted systems had been reinstated, with remaining issues resolved shortly thereafter. Chief Executive Calum Campbell acknowledged the cancellations, apologized to affected patients, and stated efforts were underway to reschedule appointments promptly. The incident marked the second major cyberattack on the organization within months, following its significant disruption during the WannaCry outbreak in May 2017.
NHS Lanarkshire collaborated with IT service providers to investigate the breach, concluding the ransomware likely originated from a phishing email—a common delivery method for such attacks. The health board emphasized its software and systems were up to date at the time of infection, attributing the compromise to the novel nature of this Bitpaymer strain. Its security provider subsequently issued an update to defend against the specific variant. While the attack affected only a limited number of systems, the cancellations highlighted healthcare’s vulnerability to operational paralysis during cyber incidents. The organization’s prior experience with WannaCry likely informed its rapid containment response, though the recurrence underscored hospitals’ attractiveness as ransomware targets due to their critical need for uninterrupted network access. No data theft or ransom demands were mentioned in available reports.