Major Security Breach at NHS Professionals That Was Never Published Reveals Concerning Vulnerabilities

• A breach that occurred in May 2024 impacted the U.K. government-owned NHSP organization.
• While no exact details on the incident have been revealed, hackers may have stolen the company’s AD data.
• Deloitte’s incident response team linked the breach to a compromised Citrix account.

A serious cybersecurity incident at NHS Professionals (NHSP), the U.K. government-owned staffing organization for the National Health Service, has come to light. Investigators revealed that in May 2024, cybercriminals compromised NHSP’s systems.

The security incident potentially resulted in hackers stealing its Active Directory (AD) database. Despite the severity of the attack, NHSP never made the data breach public.

According to documents obtained by The Register, Deloitte’s incident response team linked the breach to a compromised Citrix account, allowing attackers to escalate privileges and move laterally within NHSP's network. 

Using tools like WinRM and Cobalt Strike, the attackers gained access to NHSP's domain administrator level, ultimately exfiltrating the AD database along with every user’s hashed credentials. 

NHS insiders said the attack bore Scattered Spider marks, but Deloitte lacked evidence to attribute the attack to any single known group. Although ransomware deployment was suspected, the attack reportedly stopped short of that phase.

The breach exposed significant security weaknesses in NHSP’s systems, such as the lack of Multi-Factor Authentication (MFA), which was not implemented across all domain accounts, and limited Endpoint Detection and Response (EDR), as Microsoft Defender for Endpoint coverage was incomplete, enabling attackers to operate undetected.

Another found issue was insufficient log management – key logs needed for incident analysis were only retained for brief periods, significantly hindering investigation efforts.

NHSP has taken steps to enhance its cybersecurity posture, including resetting certificates, rotating all user passwords, and disabling certain risky Citrix features. However, Deloitte's report noted that broader remediation efforts were still ongoing over a year after the breach. 

Cybersecurity professionals have called this a “major compromise,” emphasizing the severity of the AD theft. Rob Dyke, an experienced health tech leader, highlighted the resource-intensive nature of recovering from such an attack, stating it demands significant planning, time, and expertise.

While NHSP claims no disruption to services, the unaddressed vulnerabilities pose long-term risks.

In November last year, NHS vendor Advanced faced a £6 million fine for poor cybersecurity regarding the 2022 LockBit attack.