Hackers behind a London hospital attack recently published records that include personal information about pregnant women, cancer patients and thousands of other people across the UK and Ireland, revealing the breach was far more widespread than authorities have previously indicated.
An analysis of the data trove by Bloomberg News found that it contains tens of thousands of medical records on patients from more than 400 public and private hospitals and clinics. Among the records are some 40,000 highly sensitive documents sent by doctors requesting biopsies and blood tests for individual patients in all regions of the UK and some hospitals in Ireland.
Related: Hackers Grow More Sinister and Brazen in Hunt for Bigger Ransoms
The June 3 attack against lab-services provider Synnovis locked down critical computer systems used to provide blood-testing and transfusion services to National Health Service hospitals and clinics, primarily in South East London. Bloomberg’s analysis indicates the impact extends much further.
Synnovis said in an emailed statement that the company’s “administrative working drive” had been published by the hackers in a partial form. The company added that the data would contain “some fragments” of patient identifiable data, and it was continuing to investigate the contents.
NHS England referred to a statement it published on Monday, which said: “We understand people may be concerned by this, and Synnovis are working at pace to carry out the further analysis required to understand the full scale and nature of the data released and patients impacted.”
A Russian-speaking hacker group, known as Qilin, claimed credit for the attack against Synnovis. Blood tests have been severely curtailed over the past few weeks, while more than 1,000 operations and 2,000 outpatient appointments were delayed, primarily at hospitals and primary care services in south London.
Related: UK Hospital Hackers Say They’ve Demanded $50 Million in Ransom
Qilin demanded a $50 million ransom from Synnovis but subsequently posted about 400 gigabytes of data stolen from the company on the social media platform Telegram.
The stolen records are dated between 2013 and 2023 and many contain detailed, handwritten descriptions of each patient’s condition, along with their name, address, and date of birth. The trove also includes thousands of spreadsheets and invoices detailing various blood and other tests carried out for individual patients. The documents detail a wide variety of patients’ health conditions, including forms of cancer, skin infections, burns, ulcers, and organ and bone marrow transplants.
Saira Ghafur, an expert in health care cybersecurity at Imperial College London, said the breach could be the worst the NHS has ever experienced, both in terms of impact to patient care and the amount of data stolen and published online.
“This is an egregious attack on national security and a massive attack on patient safety,” she said.
It’s not clear how the hackers were able to compromise Synnovis, which has said it’s investigating. But some of the organizations affected by the breach were aware of cybersecurity vulnerabilities dating back for years, Bloomberg News previously reported.
A breach of the kind faced by Synnovis was inevitable, according to Saif Abed, a former NHS doctor and expert in cybersecurity and public health. “The NHS has some of best patient safety and cybersecurity standards in the world,” Abed said. “They are just immensely poorly enforced.”
Abed said that there was a lack of mandatory cybersecurity audits on any contractors providing services to the NHS, which meant those contractors could have substandard cybersecurity practices that could in turn leave the NHS vulnerable.
A spokesperson for NHS England said in an emailed statement that it was increasing “cyber resilience” across the country and had invested more than £338 million ($427 million) over the past seven years.
The hackers behind the attack said in messages to Bloomberg News that they had given Synnovis a 120-hour deadline to pay the $50 million ransom and “cut off contacts” when the deadline expired. The group refused to accept responsibility for potential harm caused to patients as a result of the attack and claimed they had carried it out because they were opposed to the British government.
Brett Callow, threat analyst at cybersecurity firm Emsisoft, said he suspected the gang’s motivation for hacking Synnovis was purely financial. “The individuals responsible for this may well be twenty-somethings with more money and arrogance than brains,” he said. “They may believe that blurring their motivation may help blur their identity.”
The UK’s National Crime Agency has opened a criminal investigation into the incident.
“We are working closely with the National Cyber Security Centre, NHS England and our international law enforcement partners, to progress our investigation and support the incident response,” the agency said in a statement.
Top photo: National Health Service branding on laboratory coats at Guy’s and St Thomas’s Hospital is London, UK, on Thursday, May 25, 2023. Britain is “absolutely open for business in really high-value science and technology industries,” Chloe Smith, UK science, innovation and technology secretary said, during an interview, citing the case of Oxford Nanopore, that made one of the UK’s best-ever market debuts in 2021.
Was this article valuable?
Here are more articles you may enjoy.
NFL Hit With $4.7 Billion Damages in Sunday Ticket Trial 
Wildfire Threats Make Utilities Uninsurable in U.S. West 
Experts Answer: ‘Is’ is More Than Just a Verb in a Policy 
Farmers Adjusters Cry Foul Over Workloads, Claims Handling in Letter to Regulators 
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.