Ransomware Group Exposes 300 Million Patients’ Data

The Qilin ransomware group, believed to be Russian, uploaded to its dark web leak site the information stolen during the attack on Synnovis because of non-payment of the $50 million ransom demand.

On June 3, 2024, Synnovis, the company offering pathology services to the UK’s National Health Service (NHS), was targeted by the Qilin ransomware group causing delays to its services. The ransomware attack still impacts several NHS trusts in London. Recovery is likely to take several weeks or even months.

Two of the hardest-hit NHS trusts were Guy’s and St Thomas’ Foundation Trust and King’s College Hospital Foundation Trust. The attack impacted 7 hospitals managed by those trusts, driving them to cancel 1,134 scheduled procedures and 2,194 outpatient visits in 13 days since the attack. The volume of blood testings completed is down to about 10% of normal levels.

Like many typical ransomware attacks, Qilin extracted data files before deploying the ransomware for file encryption. On June 21, Qilin published 400 GB of data, including sensitive data, on its dark web data leak page, so that cybercriminals could freely download them. The exposed information comprised data from over 300 million patient communications with the NHS. The compromised information is still being validated but it seems to be real.

The information includes blood test data, such as highly sensitive test data for HIV, STD, and cancer. Determining the specific types of information and the number of impacted persons may take several weeks because of the enormity of the data theft. The data breach doesn’t seem to be confined to NHS patients. Synnovis also offers pathology services to private hospitals and some stolen information is known to consist of personal healthcare records subject to privacy laws.

The impacted patients may encounter extortion because of the sensitivity of part of the stolen information. For example, cybercriminals could frighten patients who were found to be HIV positive to expose that information to the public when they fail to pay the ransom.

The National Cyber Security Centre (NCSC) and the UK’s National Crime Agency (NCA) are considering to retaliate against the ransomware group. Because this attack impacted the NHS and involved the theft of NHS data, the attack is regarded as an attack on the state. The main priority is to attempt to remove all the uploaded information if possible.

The NCA earlier conducted a global law enforcement operation to shut down the LockBit ransomware group. The operation succeeded in taking command and control of the group’s infrastructure in February 2024. However, the operation was short-lived. The LockBit infrastructure was quickly restored and the group is continuing its operations. Based on an NCC Group report, LockBit was recognized as the most active threat group in May 2024.

Photo credits: Sardar – AdobeStock.com

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.