NHS England confirm patient data stolen in cyber attack
NHS England has confirmed its patient data managed by blood test management organisation Synnovis was stolen in a ransomware attack on 3 June.
Qilin, a Russian cyber-criminal group, shared almost 400GB of private information on their darknet site on Thursday night, something they threatened to do in order to extort money from Synnovis.
In a statement, NHS England said there is “no evidence” that test results have been published, but that “investigations are ongoing”.
More than 3,000 hospital and GP appointments were disrupted by the attack.
“Patients should continue to attend their appointments unless they have been told otherwise and should access urgent care as they usually would,” NHS England said.
A sample of the stolen data seen by the BBC includes patient names, dates of birth, NHS numbers and descriptions of blood tests, something cyber security expert Ciaran Martin told the BBC was “one of the most significant and harmful cyber attacks ever in the UK.”
There are also business account spreadsheets detailing financial arrangements between hospitals and GP services and Synnovis being taken.
The ransomware hackers infiltrated the computer systems of the company, which is used by two NHS trusts in London, and encrypted vital information making IT systems useless.
As is often the case with cyber-criminals, they also downloaded as much private data as they could to further extort the company for a ransom payment in Bitcoin.
It is not known how much money the hackers demanded from Synnovis or if the company entered negotiations. But the fact Qilin has published some, potentially all, of the data means they did not pay.
The cyber-attackers told the BBC on an encrypted messaging service they had deliberately targeted Synnovis as a way to punish the UK for not helping enough in an unspecified war.
In NHS England’s statement it said it “continues to work with Synnovis and the National Crime Agency”.
NHS England said it had set up a helpline to support people impacted by the attack and it will continue to share updates, but “investigations of this type are complex and take time”.
Related
Youth football teams hold minute’s silence for 10-year-old Poppy Atkinson
Youth football teams and grassroots clubs across the country have held a minute’s silence at the start of their games to commemorate a 10-year-old girl who di
Girl’s death sparks minute’s silence at football matches nationwide
10-year-old Poppy Atkinson was killed when she was struck by a car during a training session at Kendal Rugby Club in Cumbria. Clubs from Leeds to London
Liverpool fans’ Uefa claim can be heard in England, judge…
The high court, sitting in Liverpool, heard Uefa had relied upon the principle that English courts will not inquire into the legality of actions by foreign gove
Alan Shearer’s Premier League predictions including Manchester United vs Arsenal
Caption: Alan Shearer?s Premier League predictions credit: Getty / Metro After some impressive results for English sides in Europe the focus is
