UK: Hackers publish stolen patient records

St Thomas' Hospital building
Some patients will reportedly have to wait months for blood tests as a result of the attack. (Source: IMAGO / ZUMA Press Wire)

An IT security breech at a British healthcare service provider resulted in the theft of patient data, according to media reports. Hundreds of gigabytes have now been published. The stolen records include results of blood tests for HIV and cancer.

As the Guardian reported on Friday, hackers stole records pertaining to roughly 300 million individual patient interactions with the National Health Service (NHS). The records include blood tests conducted on patients in advance of surgery, as well as the results of tests on patients “suspected of having a sexually transmitted infection.” The records reportedly date back “a significant number of years.”

The patient records were taken from the healthcare provider Synnovis. The company, which conducts tests of blood samples for hospitals, confirmed earlier this month that it had been the victim of a ransomware attack. Impacted hospitals have only been able to operate at limited capacity since the attack.

In a ransomware attack, criminals encrypt normally accessible data in a computer system and demand a ransom to restore access. Often the hackers will steal information and threaten to publish it. Paying the ransom doesn’t guarantee that the blackmailers will actually restore access to encrypted data or refrain from publishing stolen information.

Hackers publish trove of data

A criminal group from Russia that calls itself Qilin is said to be responsible for the attack. The hackers have reportedly demanded a ransom of 50 million US dollars. The group has allegedly published data on the so-called dark web.

The BBC was able to view a portion of the data and reports that it contains patient names, dates of birth, and unique NHS patient numbers. Descriptions of blood tests were also published – though the BBC was unable to determine whether the information included test results.

The NHS issued a statement saying that it was working in tandem with the National Crime Agency and National Cyber Security Centre to “determine the content of the published files as quickly as possible.” It could however take “weeks if not longer” to complete the investigation.

Procedures postponed

The ransomware attack has had major consequences for seven London hospitals. One of them, King’s College Hospital in London, oversees care for roughly one million people. Royal Brompton and Harefield Hospitals, which together comprise the largest heart and lung clinic in the UK, have likewise been unable to operate normally.

According to the NHS, in the first thirteen days following the incident, more than 1,000 planned procedures and more than 2,000 outpatient appointments were postponed. These included 184 cancer treatments and 64 organ transplants.

Patients reportedly must wait up to six months for the NHS to perform blood tests. Some have chosen to pay private clinics to perform the tests rather than wait, the Guardian reported on Sunday.

The NHS has admitted that the effects of the IT breech would continue to be felt for months to come.

Ransomware targeting the healthcare system

Several ransomware attacks in the healthcare sector have come to light in recent years. In 2017 numerous companies and institutions around the world were infected with the malware known as WannaCry – with British hospitals among those affected. According to the National Health Service, at least 7,000 appointments, including operations, had to be canceled. But by the NHS’s own estimate, the figure could have been as high as 19,000.

In fall 2020 Düsseldorf University Hospital in Germany had to postpone operations and close its emergency department after data on the hospital’s servers was encrypted by ransomware.

The incident drew a great deal of attention after one patient who had to be transferred to another hospital died shortly after the transfer. The state prosecutor opened an investigation on suspicion of negligent homicide, but later dropped the inquiry after an autopsy revealed that the woman likely would have died even if she had received faster treatment.

Late last year a company that operates 30 hospitals in six US states had to divert patients from its own emergency rooms to those of other hospitals. The health care chain’s systems were taken offline after ransomware was discovered.

A similar incident earlier this year impacted US pharmacies. And in February hospitals and other medical facilities in Romania were affected by a ransomware attack. (js)