Two NHS trusts affected by cyber attack on mobile phone software
- 29 May 2025
- NHS England is investigating a cyber incident at University College London Hospitals NHS Foundation Trust (UCLH) and University Hospital Southampton NHS Foundation Trust
- Hackers exploited a vulnerability in the Ivanti Endpoint Manager Mobile software, which helps businesses manage employee phones
- UCLH confirmed the hacked product did not contain patient data or staff passwords but did contain some staff mobile and IMEI numbers
NHS England is investigating a cyber incident at University College London Hospitals NHS Foundation Trust (UCLH) and University Hospital Southampton NHS Foundation Trust.
A spokesperson for UCLH told Digital Health News that a software product used at the trust to manage UCLH mobile phones and tablets was” briefly compromised” earlier in May 2025.
āThe product, which did not contain patient data or staff passwords, was made secure swiftly.
“The product did contain some staff mobile and IMEI numbers and we are contacting those staff affected.
āWe want to reassure patients and staff that we are committed to protecting their data and privacy and we are investigating this matter thoroughly with NHS Englandās cyber security response team,” the spokesperson added.
Sky News reported thatĀ data was taken after hackers exploited holes in the IvantiĀ Endpoint Manager Mobile (EPMM) software, a programme that helps businesses manage employee phones.
Analysts at intelligence threat platform EclecticIQ told Sky News the software’s vulnerability had allowed hackers to access, explore and run programmes on their targetās systems using an IP address based in China.
Although the hole in Ivantiās software has been fixed, EclectricIQ warned that the attack could leave hackers able to access other data like patient records and further parts of the network via a process called remote code execution (RCE) – running programmes on compromised systems.
A statement on Ivanti’s website, published on 22 May 2025, said: āIvanti has released updates for Endpoint Manager Mobile (EPMM) which addresses one medium and one high severity vulnerability.
āWhen chained together, successful exploitation could lead to unauthenticated remote code execution.
āWe are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.ā
A spokesperson for NHS England told Digital Health News that there is “currently no evidence to suggest patient data has been accessedā, adding that āhealth services are not currently affectedā.
“We are currently investigating this potential incident with cyber security partners, including the National Cyber Security Centre, and the trusts mentioned.
āNHS England provides 24/7 cyber monitoring and incident response across the NHS, and we have a high severity alert system that enables trusts to prioritise the most critical vulnerabilities and remediate them as soon as possible,” the spokesperson said.
A spokesperson for the National Cyber Security Centre said that they are working to fully understand the UK impact following reports that critical vulnerabilities in the Ivanti software have been exploited.
āThe NCSC strongly encourages organisations to follow vendor best practice to mitigate vulnerabilitiesĀ and potential malicious activity.
“Vulnerabilities are a common aspect of cyber security, and all organisations must consider how to most effectively manage potential security issues,ā they added.
Commenting on the attack, Graeme Stewart, head of public sector at Check Point Software, said: “This wasn’t a one-off. Itās part of a growing pattern in which critical sectors, such as healthcare, are being quietly compromised through third-party software.”
Meanwhile, in May 2025, suppliers to the NHS were urged by NHSE to sign a charter of cyber security best practice.
