Russian cyber criminal gang behind ransomware attack on London hospitals that forced cancellation of major surgeries
5 June 2024, 10:11
Russian cyber criminals are behind a ransomware attack affecting London's hospitals that has prevented patients from undergoing major surgeries and blood transfusions.
A "critical incident" has since been declared that has led to a "severe reduction in capacity" since the attack midday Monday.
Memos to NHS staff at King's College Hospital, Guy's and St Thomas', the Royal Brompton and the Evelina London Children's Hospital, as well as primary care services in the capital, said there had been a "major IT incident".
Former chief executive of the National Cyber Security Centre Ciaran Martin said the Russians were behind the attack which targetted London's NHS services though pathology firm Synnovis.
"We believe it is a Russian group of cyber criminals who call themselves Qilin," Mr Martin said.
"These criminal groups - there are quite a few of them - they operate freely from within Russia, they give themselves high-profile names, they've got websites on the so-called dark web, and this particular group has about a two-year history of attacking various organisations across the world," he told BBC Radio 4's Today Programme.
"They've done automotive companies, they've attacked the Big Issue here in the UK, they've attacked Australian courts. They're simply looking for money."
He said it is "unlikely" the Russian hackers would have known they would cause such serious primary healthcare disruption when they set out to do the attack.
He added: "There are two types of ransomware attack. One is when they steal a load of data and they try and extort you into paying so that isn't released, but this case is different. It's the more serious type of ransomware where the system just doesn't work.
"So, if you're working in healthcare in this trust, you're just not getting those results so it's actually seriously disruptive. "This type of ransomware has affected healthcare all over the world.
"It's particularly damaging in the United States, and where this type of cyber attack is different in terms of its impact from others, is that it does affect people's healthcare. So it's really one of the more serious that we've seen in this country."
He said the Government has a policy of not paying but the company would be free to pay the ransom if it chose to. Regarding patient data, he said: "It's not really a question of data in this one, it's a question of the services.
"The criminals are threatening to publish data, but they always do that. Here the priority is the restoration of services."
Synnovis is a provider of pathology services and was formed from a partnership between SynLab UK & Ireland, Guy's and St Thomas' NHS Foundation Trust and King's College Hospital NHS Foundation Trust.
Some procedures and operations at the hospitals have been cancelled or have been redirected to other NHS providers as hospital bosses establish what work can be carried out safely.
NHS officials said they are working with the National Cyber Security Centre to understand the impact of the attack. Synnovis said the incident has been reported to law enforcement and the Information Commissioner.
Health Secretary Victoria Atkins said on Wednesday that her "absolute priority is patient safety".
On social media site X, formerly Twitter, Ms Atkins wrote: "Throughout yesterday I had meetings with NHS England and the National Cyber Security Centre to oversee the response to the cyber attack on pathology services in south-east London.
"My absolute priority is patient safety and the safe resumption of services in the coming days."
The Health Service Journal (HSJ) reported one senior NHS manager saying: "It's everyone's worst nightmare. The difficulty will be that when you have total system downtime, the volumes of tests will be huge. Even if you could transport samples around London to other labs how would you get the results back as they are not integrated in that way?
"Urgent tests will have to be managed onsite. They will no doubt be asking GPs to send urgent tests only, to manage volumes."
Another source told the HSJ the attack presented a huge problem for urgent and emergency care at the hospitals as they would not be able to access quick-turnaround blood test results.
Synnovis said on Wednesday it was unable to comment further on the attack but confirmed a taskforce of IT experts from the firm and the NHS were working to fully assess the impact and what action is needed.
A spokesman for NHS England London region said on Tuesday that Monday's incident was "having a significant impact" on the delivery of services at Guy's and St Thomas', King's College Hospital NHS Foundation Trust and primary care services in south-east London.
Fears NHS cyber attack impact on London hospitals 'will last weeks' as operations and blood transfusions cancelled
The impact of a cyber attack on NHS hospitals in London that has seen operations cancelled and delayed blood transfusions is set to last for weeks.
A critical incident was declared on Tuesday at Guy’s and St Thomas’ and Kings College hospitals, which cancelled operations.
Staff were unable to access an IT system needed for blood transfusions.
The IT hack is affecting the systems used at the Royal Brompton, heart and lung specialist Harefield Hospital, Guy's, St Thomas' & King's College hospitals.
Royal Brompton and Harefield hospitals have been forced to cancel all transplant surgeries. Nearby hospitals in London are accepting extra patients.
GP surgeries in the London boroughs of Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth are also affected.
And the impact of the hack could last for "weeks, rather than days", according to Ben Clover, bureau chief at the Health Service Journal, an industry publication.
He told LBC: "This is one of the things that is so disturbing to my contacts in the NHS is that you can have IT failures within a hospital [and] they usually get fixed fairly quickly."
"People are expecting this to take weeks, rather than days, so it’s a really, really worrying time."
The cyber attack affected IT system run by private company Synnovis, which apologised for the incident.
Roy Lilley, a health service analyst, said: "This system is responsible for not only the distribution of blood and blood products, but also pathology.
"Pathology is where you go when you need blood tests and all the other tests done, urine and so on, and in a modern hospital you can’t move really without pathology tests."
Earlier, the CEO of Guy’s and St Thomas’ wrote to stage saying there was a ‘critical incident’ affected pathology services.
“This is having a major impact on the delivery of our services, with blood transfusions being particularly affected.
In a statement Mark Dollar, Synnovis CEO, said: "On Monday June 3, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB - was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.
"It is still early days and we are trying to understand exactly what has happened. A taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had, and to take the appropriate action needed. We are working closely with NHS Trust partners to minimise the impact on patients and other service users.
"Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised. We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected. We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments.
"We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be. This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect.
"The incident is being reported to law enforcement and the Information Commissioner, and we are working with the National Cyber Security Centre and the Cyber Operations Team. We will share further updates as we know more, but regret that we are unable to respond to individual queries from the media at this time – thank you for your understanding."
“Some activity has already been cancelled or redirected to other providers at short notice as we prioritise the clinical work that we are able to safely carry out.”
Clinical staff were told that “our pathology partner Synnovis experienced a major IT incident earlier today.”
The husband of a patient asked yesterday: "My wife has a phlebotomy appointment at 7.40am for gestational diabetes checks amongst other things.
"She received a text at 7pm this evening saying phlebotomy services are cancelled until further notice. What can she do? Is the appt still taking place? Really poor comms."
A spokesman for King's College Hospital in London confirmed it was affected by the cyber attack.
The incident is thought to have occurred on Monday, meaning some departments could not connect to their main server. In a letter to staff, King's said the "major IT incident" was having a major impact on the delivery of services, with blood transfusions particularly affected.
Some procedures have been cancelled or redirected to other NHS providers, it said.
by Sofia Villegas
05 June 2024
@SofiaVillegas_1
Russian gang could be behind major cyber attack on NHS hospitals | Alamy
Ther former chief executive of the National Cyber Security Centre, Ciaran Martin, claims a Russian cyber gang is behind the cyber attack that has affected major London hospitals.
Martin said the group, known as Qilin, has a “two-year history” of attacking organisation across the globe.
Yesterday, King’s College hospital and Guy’s and St Thomas’ NHS Trusts, including the Royal Brompton and the Evelina London children’s hospital, confirmed they had been hit by the cyber breach on pathology service firm Synnovis.
The incident led to operations being cancelled and patients being redirected while staff were also unable to conduct blood transfusions.
Speaking to BBC Radio 4’s Today programme, Martin said: “These criminal groups – there are quite a few of them – they operate freely from within Russia, they give themselves high-profile names, they’ve got websites on the so-called dark web, and this particular group has about a two-year history of attacking various organisations across the world.
“They’ve done automotive companies, they’ve attacked the Big Issue here in the UK, they’ve attacked Australian courts. They’re simply looking for money.”
He added it was “unlikely” the Russian cyber group would have known they would cause such serious primary healthcare disruption when they set out to do the attack.
He continued: “There are two types of ransomware attack. One is when they steal a load of data and they try and extort you into paying so that isn’t released, but this case is different. It’s the more serious type of ransomware where the system just doesn’t work.
“So, if you’re working in healthcare in this trust, you’re just not getting those results so it’s actually seriously disruptive.
“This type of ransomware has affected healthcare all over the world.
“It’s particularly damaging in the United States, and where this type of cyber attack is different in terms of its impact from others, is that it does affect people’s healthcare. So, it’s really one of the more serious that we’ve seen in this country.”
He said the government had a policy of not paying but Synnovis would be free to pay the ransom if it chose to.
“The criminals are threatening to publish data, but they always do that. Here, the priority is the restoration of services,” he added.
UK health secretary Victoria Atkins has confirmed via X that she has met with NHS England and the National Cyber Security Centre to oversee the response to the cyber-attack on pathology services in south-east London.
Major hospitals in London have declared a critical incident after a cyber-attack led to operations being cancelled and emergency patients being diverted elsewhere.
It applies to hospitals partnered with Synnovis - a provider of pathology services.
King’s College Hospital, Guy’s and St Thomas’ - including the Royal Brompton and the Evelina London Children’s Hospital - and primary care services are among those affected.
The incident has had a "major impact" on the delivery of services, especially blood transfusions and test results.
It is thought to have happened on Monday, meaning some departments could not connect to a main server.
Some procedures have been cancelled or have been redirected to other NHS providers as the hospitals try to establish what work can be carried out safely.
The NHS said emergency care continued to be available.
GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs have also been affected.
A spokesperson from Synnovis said the company had sent in a "taskforce of IT experts" to "fully assess" the impact.
The NHS apologised for the inconvenience and said it was working with the National Cyber Security Centre to understand the impact.
'Go home and wait'
One patient, Oliver Dowson, 70, was prepared for an operation from 06:00 at the Royal Brompton. He was told by a surgeon at about 12:30 that it would not be going ahead.
“The staff on the ward didn’t seem to know what had happened, just that many patients were being told to go home and wait for a new date," he said.
“I’ve been given a date for next Tuesday and am crossing my fingers.
"It’s not the first time that they have cancelled, but that was probably staff shortages in half-term week.”
NHS computer issues linked to patient harm
Hospital IT system warning after 'preventable' death
Q&A: Electronic care records
Vanessa Welham from Streatham, south-west London, said her husband's blood test at Gracefield Gardens health centre was cancelled on Monday evening.
"My husband received a text message last night advising his appointment this morning had been cancelled due to circumstances beyond their control, and that all major south London hospitals are unable to take any bookings for an indefinite period of time.
"He went on to the Swift website and made a new appointment - the earliest available was June 17, but that's probably questionable."
'Incredibly sorry'
A spokesperson for NHS England London region confirmed Synnovis was the victim of a ransomware cyber attack.
“Emergency care continues to be available, so patients should access services in the normal way, and patients should continue to attend appointments unless they are told otherwise," they said.
"We will continue to provide updates about the impact on services and how patients can continue to get the care they need."
A spokesperson for Synnovis said: "We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected.
"We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments."
'Harsh reminder'
The spokesperson added it had "invested heavily" in "ensuring our IT arrangements are as safe as they possibly can be".
"This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect.
"The incident is being reported to law enforcement and the Information Commissioner, and we are working with the National Cyber Security Centre and the Cyber Operations Team."
Cyber security expert Steve Sands, from the Chartered Institute for IT, said ransomware threat was now an "ever-present danger to critical institutions from schools to hospitals".
He added: “Of course, the perpetrators have no conscience, and they will attack any organisation whose cyber defences are not sufficiently robust.
“We need to ensure that all public sector organisations have contingency plans in place to manage cyber attacks, that staff are regularly trained on risk and there is sufficient investment in software resilience.
“Whoever forms the next government needs to make sure the NHS has this resource and that it is spent correctly, to ensure that lives are not put at risk.”
Prof Awais Rashid, head of the Bristol Cyber Security Group at the University of Bristol, said digital infrastructures were often a complex combination of many different systems and third-party service providers.
"Hence, cyber-attacks can have significant and substantial cascading impacts as we are seeing in this unfolding situation where critical health services are being impacted."
A government spokesperson said patient safety was its priority and support was being provided to the company.
"We are working [with Synnovis] to minimise the impact on services for a number of NHS organisations in south-east London."
Jun 1, 2024 | 09:00 GMT
In this episode of Essential Geopolitics, RANE Director of Analysis Sam Lichtenstein provides an overview of recent Russian-linked sabotage incidents in Europe and discusses likely scenarios for the campaign's evolution.
RANE is a global risk intelligence company that delivers risk and security professionals access to critical insights, analysis and support to ensure business continuity and resilience for our clients. For more information about RANE's risk management solutions, visit www.ranenetwork.com.
