Moorfields Eye Hospital Dubai ransomware attack

In August 2021, the AvosLocker ransomware group attacked the Dubai branch of Moorfields Eye Hospital, the internationally branded outpost of the UK's renowned NHS-affiliated Moorfields Eye Hospital. The gang claimed to have stolen roughly 60 GB of patient and staff data and, when its demands were not met, published it online in a classic double-extortion operation.

What happened

AvosLocker listed the victim on its dark-web leak site on 15 August 2021 as "Moorfields NHS UK & Dubai," implying a breach of the London parent organisation. In reality, only the Dubai hospital's systems were affected — there was no evidence that UK NHS servers were touched. Moorfields confirmed the "IT security incident" on 16 August, stating it impacted its Dubai operations and that affected patients were being notified.

True to the double-extortion model, AvosLocker both encrypted systems and exfiltrated data. When the hospital did not pay, the gang dumped a first batch of stolen files and, on 1 September 2021, released the remainder of the trove.

Impact

Approximately 60 GB of internal data was exfiltrated.
The stolen files reportedly included copies of patient ID cards, insurance claims, financial documents, hospital call logs and internal messages — highly sensitive healthcare and identity data.
Because the data concerned an eye hospital's patients, it carried both medical-privacy and identity-fraud risks for affected individuals in the UAE.
Moorfields notified affected Dubai patients and engaged in incident response and remediation; no ransom payment was confirmed.

Attribution

The attack was claimed by AvosLocker, a ransomware-as-a-service operation that emerged in mid-2021 and targeted critical-infrastructure and healthcare organisations worldwide. AvosLocker was later the subject of a 2022 FBI/FinCEN advisory warning that it had attacked entities across multiple U.S. critical-infrastructure sectors. The Moorfields Dubai operation was among its early high-profile healthcare hits.

Why it matters

The Moorfields Dubai breach highlighted the exposure of internationally branded healthcare providers operating in the Gulf, where a globally recognised name can attract attackers seeking maximum leverage and publicity. It illustrated how double-extortion ransomware turns patient data into a coercion tool, and reinforced the need for segregated, well-defended overseas branch networks even when the parent organisation's home systems remain untouched.

Timeline

August 15, 2021

AvosLocker lists 'Moorfields NHS UK & Dubai' on its leak site, claiming to have stolen 60 GB of data.

August 16, 2021

Moorfields confirms a cybersecurity incident affecting only its Dubai operations and begins notifying impacted patients.

September 1, 2021

AvosLocker dumps the remainder of the exfiltrated data after the hospital does not meet its demands.

September 13, 2021

Reporting confirms additional staff and patient records, including ID cards and call logs, were published online.

Sources

databreaches.nethttps://databreaches.net/2021/08/16/moorfields-eye-hospital-investigating-cyberattack-on-dubai-hospital-notifying-patients/

govinfosecurity.comhttps://www.govinfosecurity.com/avoslocker-claims-data-theft-from-another-healthcare-entity-a-19083

digitalhealth.nethttps://www.digitalhealth.net/2021/08/moorfields-eye-hospital-dubai-it-security-incident/

databreaches.nethttps://databreaches.net/2021/09/13/uae-moorfields-eye-hospital-in-dubai-sees-more-staff-and-patient-data-dumped/

Related incidents

RansomwareResolvedOctober 30, 2021

Newfoundland and Labrador health-system cyberattack

A Hive ransomware attack on Newfoundland and Labrador's health-care network crippled IT systems across the province, forcing the cancellation of thousands of appointments and procedures in what officials called the worst cyberattack in Canadian history.

Victim: Newfoundland and Labrador Centre for Health Information / Eastern Health

RansomwareResolvedOctober 13, 2021

Hillel Yaffe Medical Center ransomware attack

DeepBlueMagic ransomware paralysed Israel's Hillel Yaffe Medical Center, locking every hospital computer system. As a government-owned hospital barred from paying ransom, it ran on paper and alternative systems for weeks, taking roughly two months to fully recover.

Victim: Hillel Yaffe Medical Center

RansomwareResolvedAugust 1, 2021

Lazio Region ransomware attack

A RansomEXX ransomware attack encrypted the datacenter of Italy's Lazio Region, knocking the COVID-19 vaccination booking portal offline for days and triggering a domestic terrorism investigation.

Victim: Regione Lazio

RansomwareResolvedMay 18, 2021

Waikato District Health Board ransomware attack

A Zeppelin ransomware attack crippled New Zealand's Waikato District Health Board, taking down clinical systems and phone lines across five hospitals for weeks, postponing surgeries, and leaking patient and staff data on the dark web.

Victim: Waikato District Health Board