• Northern Lincolnshire and Goole FT says it was hit by ransomware
  • Trust confirmed it did not pay a ransom as a result of cyber attack
  • Claims the virus entered the trust’s network through a USB stick “have no grounding in fact”, trust director says

The cyber attack experienced by Northern Lincolnshire and Goole Foundation Trust in October was caused by a variant of ransomware, a trust director has revealed.

The virus, called Globe2, works by encrypting files with an algorithm that makes them inaccessible. Victims of blackmail ransomware then receive messages in an attempt to elicit money.

Attacks often begin as a result of “phishing” emails, which contain malicious website links or attachments that once activated release the virus that targets key files.

A trust spokeswoman told HSJ this week it did not pay any ransom as a result of the attack, which led to 2,800 appointments being cancelled during the 48-hour attack as the trust shutdown computer systems.

Pam Clipson, the trust’s director of strategy and planning, said it was not ready to provide details of how the perpetrator gained access to the trust’s network because West Yorkshire police’s investigation was ongoing.

A trust spokeswoman said: “The police investigation is still continuing, so it wouldn’t be appropriate to comment.”

However, Ms Clipson said claims the virus accessed the network through a USB stick or due to remote working have “no grounding in fact”.

Last month, Martyn Smith, director of IT and innovation at neighbouring Hull and East Yorkshire Hospitals Trust, said the source of the virus may have been a USB stick or an employee working remotely. The trust subsequently told HSJ Mr Smith’s comments were “speculative”.

Northern Lincolnshire and Goole board papers from 30 November described the virus as “a variant of a malware package which was placed inside the trust’s network by a remote intruder”.

The attack was halted shortly after it started, the papers said, but “data elements on a number of trust servers were encrypted”.

Ms Clipson said: “Our teams took immediate action upon detection of the attack, minimising its impact. Any potentially encrypted servers were checked and cleansed both prior to switching off and before returning to ‘live’ status.

“We liaised with an external cyber security company and the police to ensure our response to the incident was as rigorous as possible.

“The trust took the decision to halt routine appointments in order to ensure patient safety while we eradicated the issue.”

Topics