Russian hackers have stolen records covering 300m patient interactions with the NHS, including the results of blood tests for HIV and cancer, the Guardian can reveal.
The amount and sensitive nature of the data obtained by the Qilin hacking gang has caused alarm among NHS bosses, who are scrambling to set up a helpline to deal with inquiries from what could be a large number of worried patients and also health service staff.
Seven hospitals run by two NHS trusts were affected by the attack, which targeted Synnovis, a private/NHS joint venture that provides pathology services such as blood tests and transfusions. It is unclear at this stage if the hack involves only hospitals in the trusts or is more widespread.
The NHS’s anxiety about the impact of the attack increased on Friday after Qilin acted overnight on a threat to put stolen NHS data into the public domain, an indication that Synnovis has refused to pay a reported $50m (£40m) ransom.
It is as yet unclear exactly what data, or how much of the haul, the ransomware group has made public. But the stolen data includes details of the results of blood tests conducted on patients having many types of surgery, including organ transplants, or suspected of having a sexually transmitted infection, or who have had a blood transfusion, well-placed sources have disclosed.
In a development that will cause anxiety among patients who have received private healthcare in recent years, Qilin’s haul is understood to include records of tests that people have had at multiple private healthcare providers. It is not clear which private healthcare firms Synnovis – a joint venture between the pathology firm Synlab and two major London acute hospital trusts – works for.
The number of test results in the data that Qilin seized in the hack on 3 June is so huge because it covers tests that patients have had going back a significant number of years, sources say.
The ransomware group posted 104 files of data overnight on a messaging platform. The Guardian was unable to verify the contents of the posted files, which contained a total of about 380GB of data. The post was topped with an image of the Synnovis logo, a description of the company and a link to its website.
The BBC reported that the files contained patient names, dates of birth, NHS numbers and descriptions of tests.
Typically, if a ransomware gang posts data it has stolen it is a sign that the victim has declined to pay a ransom to decrypt its IT systems and delete the stolen data.
The hack has caused huge problems for the King’s College and Guy’s and St Thomas’ hospital trusts as well as scores of GP practices across south-east London, which between them care for 2 million patients, because it has left them able to order only a fraction of the number of blood tests they normally do.
The two trusts had to cancel 1,134 planned operations, including cancer and transplant surgery, and postpone 2,194 outpatient appointments in the first 13 days alone after the attack, NHS England’s London region said on Thursday.
The NHS is working hard to shift what care it can to other providers and has managed over the past week to increase the amount of blood tests it can do from 10% of the usual number to 30%.
But the fact that Synnovis has been locked out of its own IT system means the hospitals and GP surgeries affected are still having to severely ration access to blood tests.
Tim Mitchell, a senior researcher at the cybersecurity firm Secureworks, said the data posting signalled that the negotiation period had ended. “For the most part, by the time the data has been leaked the ransomware negotiations are generally over,” he said. Synnovis has not confirmed whether it has held talks with Qilin.
Qilin runs a ransomware-as-a-service operation, which hires out malware to fellow criminals in exchange for a cut of the proceeds. Mitchell said it was possible the attacker might have held back data in a further attempt to secure a payment, but that such a scenario seemed unlikely.
In a statement on Friday, NHS England said: “NHS England has been made aware that the cybercriminal group published data last night which they are claiming belongs to Synnovis and was stolen as part of this attack.
“We understand that people may be concerned by this and we are continuing to work with Synnovis, the National Cyber Security Centre and other partners to determine the content of the published files as quickly as possible. This includes whether it is data extracted from the Synnovis system, and if so whether it relates to NHS patients.”
