Health and care software supplier Advanced has confirmed that client data was accessed and extracted by hackers during a cyber incident in August 2022.

The variant of malware used by the perpetrators was LockBit 3.0, during the attack that has left some trusts without access to key software systems for two months.

In a new summary of the incident seen by Digital Health News, Advanced confirmed that the perpetrators of the attack were financially motivated and “were able to
temporarily obtain a limited amount of information from our environment pertaining to approximately 16 of our Staffplan and Caresys customers”. Both software systems are used to manage care homes and services.

Lockbit 3.0 uses the so-called double extortion method, involving both encrypting and exfiltrating (or transferring) a victim’s files to another device.

Advanced said that it has notified each of those affected customers as the controllers of the exfiltrated data.

Describing how the attack began, the Advanced report states: “The threat actor initially accessed the Advanced network using legitimate third-party credentials to establish a remote desktop (RDP) session to the Staffplan Citrix server.”

“During the initial logon session, the attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data.”

Describing Advanced’s response, the report adds: “Upon first detecting suspicious activity, our security team promptly disconnected the entire Health and Care environment to contain the threat and limit encryption to a small number of systems.

“However, by taking this action, our customers lost access to Health and Care platforms, as well as a limited number of non-health and care environments and services, such as eFinancials.”

The report goes on to describe recovery efforts: “Although we were equipped and able to completely rebuild certain health and care products by the Monday following the incident, we were required to satisfy an assurance process set forth by our partners at the NCSC [National Cyber Security Centre], NHS, and NHS Digital.”

The report says that meeting the requirements of the assurance process is proving time consuming and is ongoing.

“As we learned more about this assurance process and adjusted in real time to meet certain requirements, it took longer than expected, which has impacted our overall recovery timeline. We have prioritized safety and security during every step of our recovery process,” it says.

The assurance process remains ongoing for systems and environments beyond Adastra and 111, including the CareNotes EPR system, which is currently unavailable at 12 NHS mental health trusts.

The report concludes: “This is time consuming and resource intensive and it continues to contribute to our recovery timeline.

“As we work through scanning and clearing systems, we are in parallel continuing to assess and/or develop recovery plans for remaining impacted products.”