Report on the Recent NHS Ransomware Attack

Introduction

In early June, the National Health Service (NHS) in the UK was targeted by Russian threat actors in a significant ransomware attack, causing disruptions and impacting patient care. This report provides an overview of the attack, including details on the threat actors involved, the impact on the NHS and affiliated organizations, and a description of the sensitive patient data that was stolen. 

Attack Overview

On June 3, 2024, Synnovis, a pathology services vendor and a key supplier to the NHS, fell victim to a ransomware attack that was carried out by the Qilin ransomware gang. This cyberattack disrupted patient care across multiple NHS hospitals in London, impacting critical services such as transplants, blood testing, and other essential healthcare operations.

Threat Actors

The attack has been attributed to a group of Russian cybercriminals. Former chief executive of the National Cyber Security Centre, Ciaran Martin, identified the ransomware as being deployed by the Qilin ransomware group, which operates on a ransomware-as-a-service (RaaS) model. However, there has been speculation and confusion regarding the exact perpetrators, with some attributing the attack to the Qilin (aka Agenda) RaaS platform, while others have not confirmed this association.

Impact on NHS and Affiliated Organizations

The attack has had a significant impact on the delivery of healthcare services within the NHS. Several major hospitals in London, including Guy's and St Thomas' NHS Foundation Trust and King's College Hospital NHS Foundation Trust, have been forced to cancel non-emergency operations and blood tests. Primary care services in southeast London have also been affected.

The compromised IT systems have disrupted critical services, such as blood transfusions, diagnostic imaging, and prescription filling. This has led to delays in patient care and the diversion of ambulances to other hospitals in emergency situations. The attack has caused significant inconvenience and distress to patients and their families.

Stolen Patient Data

The stolen patient data includes records covering approximately 300 million patient interactions with the NHS. The data encompasses a wide range of medical information, including the results of blood tests for HIV and cancer. The exact timeframe of the data is unspecified but is believed to span a significant number of years.

Types of Data Stolen

• Pre-Operative Blood Test Results: The stolen data includes blood test results of patients who underwent operations, including cancer and transplant surgeries.

• Sexually Transmitted Infection (STI) Testing: Patients who were tested for suspected STIs or HIV are also affected by the data breach.

• Ongoing Care and Treatment: The stolen data contains information on tests performed by multiple private healthcare providers during patients' care and treatment.

Data Elements

The stolen patient data includes the following information:

• Patient Names

• Dates of Birth

• NHS Numbers

• Descriptions of Blood Tests

Response and Investigation

The theft of such a vast amount of sensitive patient data has raised significant concerns among NHS officials and patients. The affected NHS trusts have set up a helpline to address inquiries from concerned patients and healthcare staff. Patients are advised not to contact their local hospitals or GP practices to inquire about the impact of the attack, as they do not possess this information.

The National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) are in discussions regarding potential retaliatory action against the Qilin ransomware gang. The UK government, including GCHQ, is actively involved in these conversations.

Lessons Learned and Future Preparedness

The recent ransomware attack on the NHS highlights the ongoing threat to healthcare organizations and the need for robust cybersecurity measures. It is crucial for hospitals and healthcare providers to prioritize cybersecurity investments, implement advanced security solutions, and regularly train staff on best practices to prevent and respond to such attacks.

The incident also underscores the importance of collaboration between healthcare organizations, government agencies, and cybersecurity experts. Sharing threat intelligence, conducting regular risk assessments, and staying updated on the latest cybersecurity trends can help strengthen the healthcare sector's resilience against future attacks.

Conclusion

The ransomware attack on the NHS has had a significant impact on patient care and operations within the healthcare system. The involvement of sophisticated threat actors highlights the evolving nature of cyber threats faced by healthcare organizations. It is imperative for the NHS and affiliated organizations to remain vigilant, enhance their cybersecurity defenses, and continue to prioritize the protection of sensitive patient data and critical healthcare services.

References

“Ransomware attack forces London hospitals to cancel services“ from cybernews_cybernews, published on June 4th, 2024 by Stefanie Schappert

“Recent Healthcare Ransomware Attacks“ from cybernews_securityboulevard, published on May 21st, 2024 by Alberto Casares

“London NHS Crippled by Ransomware, Several Hospitals Targeted“ from cybernews_hackread, published on June 4th, 2024 by Cyber Newswire Introduction

“What does the London NHS hospitals data theft mean for patients?“ from news_theguardian, published on June 21st, 2024 by Dan Milmo, Denis Campbell

“Records on 300m patient interactions with NHS stolen in Russian hack“ from news_theguardian, published on June 21st, 2024 by Denis Campbell, Dan Milmo

“UK government weighs action against Russian hackers over NHS records theft“ from news_theguardian, published on June 22nd, 2024 by Denis Campbell, Dan Milmo