A group of London hospitals have been caught in an alleged cyber attack after one of the year's most prominent ransom gangs published a purported sample of stolen data online.

Barts Health NHS Trust, which runs five London-based hospitals and delivers care for over 2.5 million people, confirmed it is investigating a ransomware incident after it was added to the dark web leak site of Russian-speaking ransomware gang ALPHV.

In its leak post, ALPHV claims to have stolen seven terabytes of sensitive data from Barts Health, sharing a sample of employee identification documents such as passports and driver licences, and internal emails labelled “confidential”.

The gang's dark web listing for Barts Health – which happens to be the UK's largest National Health Service (NHS) trust – also claims ALPHV has access to financial reports, insurance agreements, client credit card details, and “much more”.

While the alleged breach is a far cry from 2022's hack on health insurer Medibank – which resulted in the personal data of 9.7 million current and former customers being leaked – ALPHV suggests the incident may be the largest healthcare data breach in the UK.

“This is the most bigger leak from health care system in UK,” read ALPHV's dark web post.

In broken English, the 30 June post threatens Barts Health with a three-day window to get in contact and make a decision – presumably regarding a ransom – lest the Russia-linked gang starts to publish its allegedly stolen data.

“You have three days for contact with us,” reads the post.

“If you prefer keep silence, we will start publicate data, most of it – citizens confidential documents.”

A Barts Health spokesperson told Information Age it was aware some documents were published on the dark web by ALPHV, though they did not comment on whether the hospital group had responded to the ransom gang's demands.

“We have established that a handful of documents were illegally published on the dark web by Alphv, but no patient data was published,” said the spokesperson.

“A criminal investigation is underway, and we are working closely with NHS England and other experts including the National Crime Agency and Information Commissioner’s Office.”

Furthermore, the spokesperson did not dispute the legitimacy of the data samples published on ALPHV's dark web site, nor did they confirm whether any further data had been stolen.

Second NHS incident in a month

ALPHV's alleged attack marks the second breach of NHS data in less than a month.

In June, an NHS dataset containing data from 1.1 million patients across 200 hospitals was compromised during a ransomware attack against the UK's University of Manchester.

Hackers accessed the data after it was gathered by the university for research purposes – exposing both NHS numbers and incomplete portions of patients' postcodes.

“During the week commencing 5 June, we found out that the university was the victim of a cyber incident,” a University of Manchester spokesperson told The Independent.

“We confirmed on 23 June that our systems have been accessed and student and alumni data has been copied.”

The university said it is continuing its investigations and working closely with the UK's National Cyber Security Centre, the Information Commissioner's Office, and the National Crime Agency.

“Our in-house experts and external support are working around-the-clock to resolve this incident and respond to its impacts,” said the University of Manchester.

ALPHV gang behind year's biggest hacks

Ransom gang ALPHV, otherwise known as BlackCat, has been one of the most lucrative cyber criminal threat actors of 2023.

Last month, the Russia-linked hackers declared ownership of a phishing-driven hack on Reddit's systems – claiming to have stolen 80 gigabytes of data.

ALPHV threatened to release the data under the usual ultimatum of money, but interestingly, the gang also demanded Reddit roll back its controversial API changes – which Reddit ultimately did not do.

Meanwhile, in Australia the gang has been linked to a hack at law firm HWL Ebsworth – which led to the release of sensitive personal and government information held by a range of Australian federal entities.

Among those feared to have been caught in the hack are the Australian Federal Police, the Australian Taxation Office, and the Department of Defence.

“This is an evolving incident, and there may be additional impacted entities that have yet to be identified,” said Australia's newly appointed National Cyber Security Coordinator, Darren Goldie.

“As information continues to come to light, I am committed to keeping the community updated with information I am able to publicly share.”

At the time of writing, ALPHV has not leaked the full amount of allegedly stolen Barts Health data.