Business management software supplier Advanced has revealed that a total of 16 customers in the health and social care sector had their data compromised in a ransomware attack on its systems that took place in August 2022, and has now been found to be the work of the Lockbit 3.0 cyber crime gang.
The unnamed organisations involved were all users of Advanced’s Caresys and Staffplan services. Caresys is a care home management software package that supports both frontline care and back-office functions for residential care home operators, while Staffplan is a care rostering software package that supports mobile domiciliary care providers. All the affected customers have been notified and are receiving support.
The attack itself began on 2 August and was identified on 4 August, at which point Advanced’s security team disconnected its entire Health and Care environment to contain the threat and limit its impact. The result of this was that multiple other services went offline, including those used by frontline NHS organisations.
The biggest impact seen was to users of Advanced’s Adastra clinical patient management software, which underpins the majority of the NHS’s 111 services, but patient services at many other NHS bodies and healthcare providers were disrupted, with many taking weeks to get back on their feet.
Advanced said that the Lockbit 3.0 crew accessed its network using a legitimate set of third-party credentials to establish a remote desktop protocol (RDP) session on a Staffplan Citrix server. From there they were able to move laterally through the organisation’s Health and Care environment to escalate their privileges and deploy the ransomware. Immediately prior to executing the ransomware and encrypting Advanced’s systems, the gang exfiltrated a “limited” amount of data. It did not reveal if any of this data related to any patients.
“We were able to recover the limited amount of data obtained from our systems and we believe the likelihood of harm to individuals is low,” the company said in a new statement.
“This is based on our expert threat intelligence vendor’s considerable experience with cases of this nature and the fact that there is no evidence to suggest that the data in question exists elsewhere outside our control. We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position changes.
The firm added: “We have been and continue to be in contact with the ICO, the NHS, the National Cybersecurity Centre (NCSC), and the National Crime Agency to provide regular status updates on this incident.
“Again, Advanced has now given required notice to all affected data controllers. If you were not contacted, your data was not copied out of the environment.”
Advanced said its teams have been working around the clock to get its systems and customers up and running again, but that the nature of the compliance and assurance checks that were mandated to stand up services used by the NHS has added to that time.
“As we learned more about this assurance process and adjusted in real time to meet certain requirements, it took longer than expected, which has impacted our overall recovery timeline. We have prioritised safety and security during every step of our recovery process,” the company said.
“Our Health and Care and environments beyond Adastra and 111 will also require additional compliance checks, scanning, and going through the same assurance processes. This is time consuming and resource intensive and it continues to contribute to our recovery timeline. As we work through scanning and clearing systems, we are in parallel continuing to assess and/or develop recovery plans for remaining impacted products.
“We are working diligently and bringing all resources to bear, including outside recovery specialists, to help us restore services to our customers as quickly as possible, and in the interim, providing data extracts and assisting with contingency planning as appropriate.”
Advanced has also implemented a number of enhanced cyber security measures, including scanning for identified indicators of compromise (IoCs), installing real-time monitoring, detection and response agents, resetting all passwords, rebuilding and hardening compromised systems, introducing enhanced network segmentation, and strengthening firewall rules.