A ransomware gang claims to have stolen data from the Alder Hey children’s hospital in Liverpool, allegedly including patient records.

The INC Ransom group said it had published screenshots of data on the dark web that contained the personal information of patients, donations from benefactors and procurement information.

Sources confirmed that snapshots of spreadsheets purporting to be from Alder Hey’s systems had been displayed on the INC site carrying the message “evidence of large scale data”. There were 11 screenshots, understood to contain names, addresses, medical reports and financial papers.

The Alder Hey children’s NHS foundation trust said it was aware of the alleged leak and was working to verify whether the data belonged to the hospital.

“We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest hospital NHS foundation trust. We are working with partners to verify the data that has been published and to understand the potential impact,” the trust said.

Alder Hey treats more than 450,000 patients a year making it one of Europe’s busiest children’s hospitals. It said its services were operating as normal and patients should continue to attend appointments.

The hospital said it was working with the National Crime Agency to secure its IT systems and that the alleged data theft was not linked to another “cyber incident” that occurred this week at the nearby Wirral university teaching hospital NHS trust. The NCA has been contacted for comment.

Ransomware gangs typically operate out of Russia or former Soviet Union countries. They hack into their targets’ computer systems and cripple them by inserting malware into the network, extracting data at the same time. They then threaten to leak the stolen data online unless they receive a payment, usually demanded in bitcoin.

Last year, victims of ransomware attacks paid out a record $1.1bn (£866m) to assailants, according to the cryptocurrency research firm Chainalysis, double the 2022 total.

Healthcare organisations are frequently targeted by ransomware gangs. In June, two major hospital trusts in London were subject to a ransomware attack which disrupted operations and accessed 300m patient interactions including the results of blood tests for HIV and cancer.

The INC ransomware gang first emerged in July 2023 and as of April this year its second most popular target was healthcare organisations, the majority of them based in the US. However it has also claimed victims in the UK and this year said it was responsible for an attack on NHS Dumfries and Galloway health board.

Rafe Pilling, the director of threat research at the cybersecurity firm Secureworks, said a partial leak of data was typical of ransomware gangs’ attempts to secure a payment.

“This is an attempt to apply pressure to the organisation,” he said.

A senior NHS official said trusts were advised not to pay ransoms and instead work with the NCA to respond to any demands.