Russian hackers have stolen data on 300 million patient interactions with the NHS, including blood test results for HIV and cancer, the Guardian can reveal.
The volume and sensitive nature of the data obtained by the Qilin hacking gang has caused alarm among NHS bosses, who are scrambling to set up a helpline to answer questions from potentially a large number of concerned patients and also healthcare workers.
Seven hospitals run by two NHS trusts were hit by the attack, which targeted Synnovis, a private/NHS joint venture that provides pathology services such as blood tests and transfusions. It is unclear at this stage whether the hack only affects hospitals in the trusts or is more widespread.
NHS concerns about the impact of the attack increased on Friday after Qilin took action overnight on a threat to post stolen NHS data into the public domain, an indication that Synnovis has refused to pay a ransom of reportedly paying $50 million.
It is still unclear exactly what data, or how much of the loot, the ransomware group has made public. But the stolen data included details of the results of blood tests carried out on patients who have undergone many types of operations, including organ transplants, or are suspected of having a sexually transmitted infection, or who have had a blood transfusion, well-placed sources have revealed.
In a development that will cause fear among patients who have received private healthcare in recent years, Qilin’s loot is also believed to include data from tests people have undergone at multiple private healthcare providers. It is not clear which private healthcare companies Synnovis – a joint venture between pathology company Synlab and two major London acute hospital trusts – works for.
The number of test results in the data seized by Qilin in the June 3 hack is so large because they involve tests that patients have undergone for a significant number of years, sources say.
The ransomware group posted 104 data files on a messaging platform overnight. The Guardian was unable to verify the contents of the posted files, which totaled approximately 380 GB of data. The message was accompanied by an image of the Synnovis logo, a description of the company and a link to the website.
The BBC reported that the files contain patient names, dates of birth, NHS numbers and descriptions of tests.
When a ransomware gang posts stolen data, it is usually a sign that the victim has refused to pay a ransom to decrypt IT systems and delete the stolen data.
The hack has caused huge problems for King’s College and Guy’s and St Thomas’ hospital trusts, as well as dozens of GP practices in south-east London, which together care for 2 million patients, as it only allowed them to place an order. fraction of the number of blood tests they normally do.
The two trusts had to Canceling 1,134 planned surgeriesincluding cancer and transplant surgery, and postponed 2,194 outpatient appointments in the first 13 days after the attack alone, the London region of NHS England said on Thursday.
The NHS is working hard to transfer the care it can provide to other providers and in the past week has managed to increase the number of blood tests it can do from 10% of the usual number to 30%.
after newsletter promotion
But the fact that Synnovis no longer has access to its own IT system means that affected hospitals and GP practices are still having to severely ration access to blood tests.
Tim Mitchell, a senior researcher at the cybersecurity firm Secureworks, said the posting of data indicated the negotiation period had ended. “By the time the data is leaked, the ransomware negotiations will be largely over,” he said. Synnovis has not confirmed whether it has had discussions with Qilin.
Qilin runs a ransomware-as-a-service operation, renting malware to fellow criminals in exchange for a cut of the proceeds. Mitchell said it was possible that the attacker withheld data in another attempt to secure payment, but that such a scenario seemed unlikely.
In a statement on Friday, NHS England said: “NHS England has been made aware that the cybercriminal group published data last night which they claim belongs to Synnovis and has been stolen as part of this attack.
“We understand that this may be of concern to people and we continue to work with Synnovis, the National Cyber Security Center and other partners to determine the contents of the published files as quickly as possible. This includes whether it is data extracted from the Synnovis system, and if so, whether it relates to NHS patients.”