NHS England probes data leak after cyber attack on Synnovis blood-test provider
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The NHS is investigating what the UK health service fears is its biggest leak of patient data in years, after a ransomware attack three weeks ago disrupted thousands of appointments and operations at major London hospitals.
Russian-speaking cyber crime group Qilin late on Thursday uploaded 104 files containing almost 400GB of information it said it had stolen from Synnovis, which provides pathology services for the NHS. The files were compressed so might, if downloaded, contain even more data, according to cyber security firm Secureworks.
NHS England said it was working with its blood testing and pathology provider, the National Cyber Security Centre and other partners to determine the “content of the published files as quickly as possible” and whether they contained patients’ personal details and test results.
The health service added that the attack, which has disrupted services, was being investigated by law enforcement agencies.
Synnovis, which processes blood tests on behalf of some NHS organisations in south-east London, confirmed it was aware of the leak and was investigating. “We know how worrying this development may be for many people,” it said in a statement. “An analysis of this data is already under way.”
The leak follows a hack on Synnovis at the beginning of this month that disrupted pathology departments at King’s College Hospital and at Guy’s and St Thomas’ NHS Foundation Trust, which runs three sites, as well as some GP surgeries, leading to cancelled or redirected appointments.
The NHS said on Thursday that 1,134 elective procedures and 2,194 outpatient appointments had been postponed at the two trusts since the attack on June 3.
Synnovis had adopted “temporary workarounds”, it said on Friday. Those include redirecting non-urgent blood tests and result processing to other pathology labs to ensure “sufficient capacity for urgent testing and to respond to the highest priority cases at St Thomas’ Hospital and King’s College Hospital”.
Qilin emerged about two years ago. It posted the first organisation it hacked to its leak site in October 2022, and has steadily increased its activity, listing 16 organisations as victims in May 2024.
Groups such as Qilin typically threaten to release data or further disrupt services unless organisations pay a ransom. Their targets are often organisations rich in data that may be vulnerable to an attack. Synnovis and NHS England declined to give details on demands or negotiations with the group.
The healthcare industry has become increasingly vulnerable to cyber attacks, with incidents on the rise while other sectors have experienced a decline.
Two-thirds of healthcare organisations in an annual poll from cyber security company Sophos said they had been hit by ransomware in the past year, up from 60 per cent surveyed in 2023. Most, however, were able to stop the attack before any data was encrypted.
“Healthcare organisations have been — and will continue to be — a prime target for ransomware attacks because the services they provide are so critical,” said Peter Mackenzie, Sophos’s director of incident response. “This puts pressure on the targets to get back online as fast as possible.”
Thursday’s leak follows multiple ransomware attacks on the NHS over the past decade. The biggest was the 2017 “WannaCry” hack on critical systems, estimated to have cost the health service £92mn with more than 19,000 cancelled appointments. Scotland’s NHS Dumfries and Galloway told patients last week that some of their data might have been published online following a breach in February.
Qilin has not revealed its location but researchers at Secureworks said the group spoke Russian and had attacked organisations in at least 30 countries. It has, however, never listed a victim from Russia or the Commonwealth of Independent States — the group of post-Soviet nations Russia is seeking to build close ties with.
Don Smith, vice-president of the Secureworks counter threat unit, said criminal gangs such as Qilin were “opportunistic in the hunt for the next payout”. They would therefore attack any organisation with data vulnerabilities that would be likely to pay a ransom to restore services and secure their details.
He said the latest attack “underlines that the healthcare sector, which is incredibly rich in data, must be protected”.
Comments