Russian hackers who attacked the NHS have published the personal information and test results of patients, making them more vulnerable to fraud and extortion.
The cybercriminals from the Qilin ransomware group hacked into Synnovis, a laboratory that provides tests for five hospitals and GP services in the capital. The attack on June 3 paralysed the company’s IT system, blocking the digital ordering of tests and the delivery of results. The tests are often a prerequisite for hospital admissions and operations.
The hackers demanded $50 million to unfreeze the Synnovis IT system and return the stolen data. However, its publication suggests no money has been paid. Qilin has claimed responsibility for the hack.
The NHS said on Thursday that 1,134 elective procedures and 2,194 outpatient appointments had been postponed at King’s College Hospital Trust and Guy’s and St Thomas’ NHS Foundation Trust. Others affected include the Royal Brompton and Harefield hospitals, and the Evelina children’s hospital as well as GP services in southeast London. Sixty-four donated organs were diverted for use by other trusts.
Doctors at King’s have been told that there is no immediate end in sight to the disruption as it may take until September to fully restore services. One said: “The executive team openly acknowledged that we are working to minimise harm and risk, and talking about systems to record the harms.”
Advertisement
Luke Donovan, head of threat intelligence at Searchlight Cyber, said patients could be extorted as a result of the hack. “Impersonation could take place. Phishing campaigns [where people are scammed to give away sensitive data] associated with that content could take place and also potentially extortion. That extortion element will depend on the rest of that medical record which could potentially be out there,” he said.
‘Without the operation it’s terminal’
Blood transfusions are one of the most affected procedures. The mother of a three-year-old girl with kidney failure accused the hackers of “directly attacking and targeting babies, toddlers and amazing children” at the Evelina children’s hospital. The woman, identified only as Emma, told the BBC that blood tests were vital for keeping her daughter Emily alive because she has kidney failure.
Russell Ashley-Smith, 81, is waiting for complex open heart surgery at King’s College Hospital in South London, without which he may only have up to two years to live. He told The Independent: “I understand if I don’t [have the operation] it’s terminal. Doctors said you’ll live for one to two years with declining health and become less and less capable of doing things like walking.”
The NHS said that urgent treatment remained available and that the majority of planned activity had gone ahead.
Ciaran Martin, former chief executive of the National Cyber Security Centre, said that criminals could use the published data for scams, but the central issue was still the impact on patient care. “Data extortion ransomware is always and everywhere a bluff, because the damage is already done at the point of the hack,” he said. “The hackers have the data and will sell it to other criminals whether you pay or not.”
Advertisement
Martin, now a professor at Oxford University’s Blavatnik School of Government, added: “Other criminals will use it to try to scam money out of people. So the most important issue here remains the recovery of patient care. It is very unusual for people to suffer harm because personal records are published on the dark web.”
‘Our attacks are not accidental’
Synnovis is a joint venture between SynLab, a private German lab, and NHS hospitals. Public bodies in the UK have a policy of not paying ransom to cybercriminals.
One of the hackers claimed the group knew the attack would create a crisis. In an interview with The Register website, a spokesman said: “Yes, we knew that. That was our goal.”
Experts and security sources suggest that the group’s primary motivation is money, but the spokesman cited politics. “All our attacks are not accidental. We choose only those companies whose management is directly or indirectly affiliated with the political elites of a particular country. The politicians of these countries do not keep their word, they promise a lot, but are in no hurry to fulfil their promises,” he said.
In other interviews Qilin has alluded to Britain’s involvement in the Ukraine war as motivation.
Advertisement
Security sources do not believe the attack was state sponsored, but with the Putin administration giving safe harbour to hackers those lines can be blurred.
Dr Chris Streather, medical director for NHS London, said: “Although we are seeing some services operating at near normal levels and have seen a reduction in the number of elective procedures being postponed, the cyberattack on Synnovis is continuing to have a significant impact on NHS services in southeast London.
“Having treatment postponed is distressing for patients and their families, and I would like to apologise to any patient who has been impacted by the incident, and staff are continuing to work hard to rearrange appointments and treatments as quickly as possible.”
It has been reported that the National Crime Agency is weighing up the possibility of taking retaliatory action against Qilin.
A source with knowledge of the options being explored by the government agency told The Guardian: “There’s a specialist [NCA] team behind the scenes working to access, understand and remove the data if possible.”
Advertisement
“That’s being investigated and what’s possible. [Action is likely because] it’s effectively an attack on the state.”
US bans Russian antivirus software
The United States issued a national ban on Thursday on the Russian antivirus software Kaspersky because of national security fears. Gina Raimondo, the US secretary of commerce, said: “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponise sensitive US information, and we will continue to use every tool at our disposal to safeguard US national security and the American people.”
Kaspersky is not banned in the UK, but the National Cyber Security Centre has previously advised public bodies and some companies against using it.
Kaspersky has a UK holding company, which has now been effectively sanctioned by the US. The firm is headquartered in Moscow, but has offices in 31 countries and serves more than 400 million users and 270,000 corporate clients in more than 200 countries.
The Commerce Department accused Kaspersky of “co-operation with Russian military and intelligence authorities in support of the Russian government’s cyberintelligence objectives”.
Advertisement
The company said it “believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services. Kaspersky does not engage in activities which threaten US national security”.
The NHS has set up a helpline on 0345 8778967.
