By Erika Koutroumpa,
In early June, patient data from an NHS pathology testing provider was stolen by the cybercriminal gang Qilin, marking one of the most significant cyberattacks in the UK.
Qilin is a cybercrime goup that has developed cryptovirological malware, which blocks people/organizations from accessing their stolen data, unless a ransom is paid. They publicly threatened that if their ransom demands were not met, they would release the stolen data. After nearly a month of negotiations with the affected provider, Synnovis, the group followed through on their threat, uploading almost 400 GB of information to the dark web. This data includes not only over 300 million patient-NHS interactions but also financial arrangements between hospitals and GP services.
Cybercriminals often target systems with existing vulnerabilities, and Qilin’s preferred method of infiltration appears to be “spear phishing.” This tactic involves obtaining credentials or installing malicious software by deceiving insiders. Once inside, Synnovis’s critical data was encrypted, rendering the IT systems inoperable, unless the NHS complied with the ransom demand. Qilin’s demands reportedly ranged from $50,000 to $800,000 in Bitcoin. However, in this instance, the ransom was not paid. A growing number of experts advise against paying ransoms in such cases, as it can encourage further attacks and even if the ransom is paid, there is no guarantee that the criminals will honor their end of the deal.
On June 3rd, Synnovis announced the breach, reporting that their IT systems were inaccessible. Over 1,000 medical procedures and appointments were postponed, impacting Guy’s, St Thomas’, and King’s College Hospitals NHS Foundation Trusts, as well as GP services in other London boroughs. While the company worked to recover its systems, blood tests had to be conducted using older methods, with results only available in printed form, leading to significant delays. Additionally, thousands of blood samples had to be discarded within the first two weeks of the attack, and the disruption in blood matching tests led to a shortage of O-type blood in the wider area.
Qilin claimed that their actions were intended to make a political statement against the government’s stance in an undisclosed conflict. They also issued an apology for the inconvenience caused to patients, though they refused to accept any guilt or responsibility. The group has been active since 2022, targeting a range of organizations including healthcare institutions, schools, and hospitals. However, this is the first time Qilin has cited political motivations as the driving force behind their hacking.
This incident is widely regarded as one of the most significant cyberattacks in the UK to date. Experts estimate that it could take several months to fully restore the affected systems. The NHS has established a hotline for victims, as their private information is now accessible to other cybercriminals who may attempt to exploit them further.
References
- Don’t blame us for people suffering – London hospital hackers. BBC News. Available here
- Ransomware Group Leaks Data from 300 Million Patient Interactions with NHS. HIPAA journal. Available here
- Data from NHS cyber attack that cancelled operations ‘published online by criminal group. The Independent. Available here
- Who are Qilin, the cybercriminals thought behind the London hospitals hack. The Guardian. Available here
- Stolen test data and NHS numbers published by hospital hackers. BBC. Available here