University College London Hospitals (UCLH) has confirmed a cybersecurity incident involving unauthorised access to a system containing staff mobile device information.
The impacted system was Ivanti Endpoint Manager Mobile (EPMM), which is widely used across the NHS.
EPMM helps businesses manage employee phones.
The Trust emphasised that patient data was not compromised.
In a statement, UCLH said: “There have been media reports that unauthorised users accessed a UCLH system in a cyber security incident. We want to reassure all our patients that we have no evidence [that] their data has been accessed. The UCLH system which was compromised contained data about staff mobile devices such as the mobile number and the IMEI number (a unique code to identify the phone on the mobile network). It did not contain passwords or patient data.”
The data exposed included mobile phone numbers and IMEI numbers, unique identifiers for each device, but no passwords or sensitive patient information.
University Hospital Southampton NHS Foundation Trust was also affected by a cybersecurity attack, but did not release a statement.
UCLH confirmed it took immediate steps to secure the affected system
UCLH confirmed it took immediate steps to secure the affected system and is working with cybersecurity teams at NHS England to investigate the incident.
Cybersecurity experts warn that despite the limited data exposed, the breach could still have serious implications.
Lee Wright, Principal Security Consultant at cyber security expert tmc3, a Qodea company, highlighted the risks related to the compromised software, Ivanti Endpoint Manager Mobile (EPMM).
“It’s concerning to see the NHS once again under the spotlight for a cyber security attack. Given the widespread use of the Ivanti Endpoint Manager Mobile (EPMM) software, other NHS trusts should be on high alert for attacks, especially if they have not applied the necessary security patches,” Wright said.
The trust emphasised that patient data was not compromised
He explained that the stolen data could be leveraged to launch further attacks.
“The data stolen includes staff phone numbers, IMEI numbers and authentication tokens. This information is crucial to support future attacks through phishing or smishing methods, or even to allow cyber criminals to impersonate users and bypass logins,” Wright warned.
Wright also described how exploiting the vulnerability in the EPMM software could serve as a gateway for cyber criminals to escalate attacks across NHS networks.
“Exploiting this EPMM vulnerability could lead to further issues too. For attackers, they would effectively be unlocking a back door by gaining access. From there, they could run code on the compromised system, move laterally through the network, and start probing for higher value assets, like patient databases. Patient records are gold for attackers. They fetch a high price on the dark web, and can be used for identity theft, insurance fraud, or even extortion,” he said.
Cybersecurity experts warn that despite the limited data exposed, the breach could still have serious implications
He stressed the urgent need for NHS trusts to adopt a proactive approach to cybersecurity rather than reacting after attacks occur.
“To avoid attacks like this, every NHS trust should be operating as if it’s already a target – because it is. That means shifting from a reactive mindset to a proactive one. Some of the most important steps that organisations can take to reduce risk are unfortunately rarely conducted to a mature level.
“This includes staying on top of patching, especially for third party software like EPMM, applying network segmentation practice to stop attackers moving freely once they are in, and running regular security testing and audits.
“These steps, on top of regular staff training and maintaining an incident response plan, can make life harder for attackers while maintaining good preparation for when something goes wrong.”
This incident adds to a growing list of cyber attacks on the NHS, underlining the persistent threat facing healthcare providers and the critical importance of robust cyber defences.