London hospitals hackers publish stolen blood test data

A gang of cyber criminals causing huge disruption to multiple London hospitals has published sensitive patient data stolen from an NHS blood testing company.

Overnight on Thursday, Qilin shared almost 400GB of the private information on their darknet site.

The gang has been trying to extort money from NHS provider Synnovis since they hacked the firm on 3 June.

Cyber security expert Ciaran Martin told the BBC it was “one of the most significant and harmful cyber attacks ever in the UK.”

A sample of the data seen by the BBC includes patient names, dates of birth, NHS numbers and descriptions of blood tests. It is not known if test results are also in the data.

The hack has also resulted in more than 3,000 hospital and GP appointments and operations being disrupted.

A teenager being treated for cancer is among those affected.

Dylan Kjorstad’s parents have told the BBC they were left in a state of “disbelief” when they were told his operation to have a tumour on his ribs removed was being delayed.

Mr Martin, ex-head of the National Cyber Security Centre and now a professor at Oxford University, told the BBC Radio 4’s World at One programme it could be several months before systems were restored.

Qilin previously told the BBC they would publish the data unless they got paid.

There are also business account spreadsheets detailing financial arrangements between hospitals and GP services and Synnovis.

NHS England told the BBC it was aware of the publication but could not be completely sure the shared data was real.

“We understand that people may be concerned by this and we are continuing to work with Synnovis, the National Cyber Security Centre and other partners to determine the content of the published files as quickly as possible,” it said.

Synnovis, meanwhile, said: “We know how worrying this development may be for many people. We are taking it very seriously and an analysis of this data is already underway.”

The ransomware hackers infiltrated the computer systems of the company, which is used by two NHS trusts in London, and encrypted vital information making IT systems useless.

As is often the case with these gangs, they also downloaded as much private data as they could to further extort the company for a ransom payment in Bitcoin.

It is not known how much money the hackers demanded from Synnovis or if the company entered negotiations. But the fact Qilin has published some, potentially all, of the data means they did not pay.

Law enforcement agencies around the world regularly urge victims of ransomware not to pay as it fuels the criminal enterprise and does not guarantee that the criminals will do as they promise.

Ransomware expert Brett Callow, from Emsisoft, said healthcare organisations were increasingly being targeted as the hackers knew that they could cause a lot of harm and sometimes get a big pay day.

“Cybercriminals go where the money is and, unfortunately, the money is in attacking the healthcare sector. And since United Health Group reportedly paid a $22m (£17.3m) ransom earlier this year, the sector is more squarely in the crosshairs than ever before,” he said.

On Tuesday night, Qilin spoke to the BBC on an encrypted messaging service and said they had deliberately targeted Synnovis as a way to punish the UK for not helping enough in an unspecified war.

Mr Martin described that claim as “absolute garbage” and said their aims were “entirely financial.”

The gang, like many ransomware crews, is thought to be based in Russia, but told the BBC it could not be more specific about its political allegiance or geography “for security reasons”.

On their darknet site, they also have stolen data from other healthcare organisations, as well as schools, companies and councils from around the world.

“I think this is probably one of the most significant cyber attacks on the NHS,” said Saira Ghafur, an expert in healthcare cyber security at Imperial College London.

“This will all have quite a severe impact in the delivery of patient care, which we’ll see impacted for an ongoing couple of weeks,” she told World at One.

“We’re very much in the era, not that if we’re going to be attacked cyber attack, but when,” she added.

Ms Ghafur also said that systems now need to be “resilient enough to take several shocks at the same time” as attacks become more common.


This website uses cookies. By continuing to use this site, you accept our use of cookies.