Hacked UK Trove of Medical Records Includes Data on Newborns, Cancer Patients

June 27, 2024 by

Hackers behind a London hospital attack recently published records that include personal information about pregnant women, newborns, cancer patients, people suffering from schizophrenia and thousands of others across the UK and Ireland, revealing the breach was far more widespread than authorities have previously indicated.

An analysis of the data trove by Bloomberg News found that it contains tens of thousands of medical records on patients from more than 400 public and private hospitals and clinics. Among the records are some 40,000 highly sensitive documents sent by doctors requesting biopsies and blood tests for individual patients in all regions of the UK and some hospitals in Ireland.

The June 3 attack against lab-services provider Synnovis locked down critical computer systems used to provide blood-testing and transfusion services to National Health Service hospitals and clinics, primarily in South East London. Bloomberg’s analysis indicates the impact extends much further.

Read more: UK Hospital Hackers Say They’ve Demanded $50 Million in Ransom

Synnovis said in an emailed statement that the company’s “administrative working drive” had been published by the hackers in a partial form. The company added that the data would contain “some fragments” of patient identifiable data, and it was continuing to investigate the contents.

NHS England referred to a statement it published on Monday, which said: “We understand people may be concerned by this, and Synnovis are working at pace to carry out the further analysis required to understand the full scale and nature of the data released and patients impacted.”

A Russian-speaking hacker group, known as Qilin, claimed credit for the attack against Synnovis. Blood tests have been severely curtailed over the past few weeks, while more than 1,000 operations and 2,000 outpatient appointments were delayed, primarily at hospitals and primary care services in south London.

Qilin demanded a $50 million ransom from Synnovis but subsequently posted about 400 gigabytes of data stolen from the company on the social media platform Telegram.

Read More: London Hospitals Knew of Cyber Vulnerabilities Years Before Hack

Cyberattacks on health care operators are rising as the sector has rapidly adopted new digital technologies with inadequate consideration of security issues. The number of such events globally rose from 32 in 2022 to 121 last year, The Lancet reported in May, citing the European Repository of Cyber Incidents.

The stolen records are dated between 2013 and 2023 and many contain detailed, handwritten descriptions of each patient’s condition, along with their name, address, and date of birth. The trove also includes thousands of spreadsheets and invoices detailing various blood and other tests carried out for individual patients. The documents detail a wide variety of patients’ health conditions, including forms of cancer, skin infections, burns, ulcers, and organ and bone marrow transplants.

The records also include details of blood tests sent by psychiatrists to monitor patients taking Clozapine, an antipsychotic drug often used to treat schizophrenia.

Saira Ghafur, an expert in health care cybersecurity at Imperial College London, said the breach could be the worst the NHS has ever experienced, both in terms of impact to patient care and the amount of data stolen and published online.

“This is an egregious attack on national security and a massive attack on patient safety,” she said.

It’s not clear how the hackers were able to compromise Synnovis, which has said it’s investigating. But some of the organizations affected by the breach were aware of cybersecurity vulnerabilities dating back for years, Bloomberg News previously reported.

A breach of the kind faced by Synnovis was inevitable, according to Saif Abed, a former NHS doctor and expert in cybersecurity and public health. “The NHS has some of best patient safety and cybersecurity standards in the world,” Abed said. “They are just immensely poorly enforced.”

Abed said that there was a lack of mandatory cybersecurity audits on any contractors providing services to the NHS, which meant those contractors could have substandard cybersecurity practices that could in turn leave the NHS vulnerable.

A spokesperson for NHS England said in an emailed statement that it was increasing “cyber resilience” across the country and had invested more than £338 million ($427 million) over the past seven years.

The hackers behind the attack said in messages to Bloomberg News that they had given Synnovis a 120-hour deadline to pay the $50 million ransom and “cut off contacts” when the deadline expired. The group refused to accept responsibility for potential harm caused to patients as a result of the attack and claimed they had carried it out because they were opposed to the British government.

Brett Callow, threat analyst at cybersecurity firm Emsisoft, said he suspected the gang’s motivation for hacking Synnovis was purely financial. “The individuals responsible for this may well be twenty-somethings with more money and arrogance than brains,” he said. “They may believe that blurring their motivation may help blur their identity.”

The UK’s National Crime Agency has opened a criminal investigation into the incident.

“We are working closely with the National Cyber Security Centre, NHS England and our international law enforcement partners, to progress our investigation and support the incident response,” the agency said in a statement.

Photograph: National Health Service branding on laboratory coats at Guy’s and St Thomas’s Hospital in London, UK, on Thursday, May 25, 2023. Photo credit: Jose Sarmento Matos/Bloomberg