Data from a ransomware attack has allegedly been published online weeks after the attack halted operations and tests in major London hospitals, NHS England has said.
A Russian group carried out the cyber-attack on Synnovis, a private pathology firm that analyses blood tests for Guy’s and St Thomas’ NHS foundation trust (GSTT) and King’s College trust, on 3 June, forcing hospitals in the capital to cancel almost 1,600 operations and outpatient appointments.
NHS England said on Friday it had “been made aware that the cyber-criminal group published data last night which they are claiming belongs to Synnovis and was stolen as part of this attack. We know how worrying this development may be for many people. We are taking it very seriously.”
In the attack, hackers from the Russian-based ransomware criminal group Qilin infiltrated Synnovis’s IT system and locked the computer system by encrypting its files to extort a payment for restoring access. The trusts have contracts with Synnovis totalling just under £1.1bn for services that are vital to the smooth running of the NHS.
Qilin published 104 files, with each containing 3.7GB of data, on a messaging platform. The post is topped with an image of the Synnovis logo, a description of the company and a link to its website. The Guardian could not confirm the contents but the BBC reported on Friday that the data included patient names, dates of birth, NHS numbers and descriptions of blood tests, although it is not known if test results have been leaked as well.
NHS England said an analysis of the data was under way involving the National Cyber Security Centre and other partners to confirm whether the data was taken from Synnovis’s systems and what information it contained.
Typically, the release of stolen data by ransomware gangs is a sign that Synnovis has not made a payment – usually demanded in the cryptocurrency bitcoin – for the decryption of its systems or deletion of taken files.
Don Smith, the vice-president of the threat research at Secureworks, a cybersecurity firm, said the attack had highlighted the vulnerability of the health sector, because its troves of data make it a prime target. The Qilin attack follows a hack on the NHS Dumfries and Galloway health board where patient data was stolen.
He said: “It follows closely in the wake of attacks on the NHS in Dumfries and Galloway and underlines that this sector, which is incredibly rich in data, must be protected.”
When the hack began, seven hospitals run by two NHS trusts experienced serious disruption to their services, including cancelling or moving elective operations. Two major acute hospital trusts in London postponed 832 surgical procedures, including cancer surgery and organ transplants among others, between 3 June and 9 June.
The disruption affected hospitals including Guy’s, St Thomas’ and King’s College, as well as the Evelina children’s hospital, Royal Brompton, the Harefield specialist heart and lung hospitals and the Princess Royal hospital in Orpington.
