What does the London NHS hospitals data theft mean for patients?

Dan Milmo and Denis Campbell
<span>Guy's in Southwark, south London, one of the hospitals to have been affected by the data theft from Synnovis.</span><span>Photograph: Finnbarr Webster/Alamy</span>
Guy's in Southwark, south London, one of the hospitals to have been affected by the data theft from Synnovis.Photograph: Finnbarr Webster/Alamy

A Russian criminal gang has stolen highly sensitive NHS patient data, including the results of blood tests for HIV and cancer, after a cyber-attack this month.

The group posted nearly 400GB of data overnight from a hack of Synnovis, a private/NHS joint venture that provides pathology services such as blood tests and transfusions. Seven hospitals run by two NHS trusts, Guy’s and St Thomas’ and King’s College, have been affected by the ransomware attack.

Qilin, the Russian gang that carried it out, has now released data it extracted during the cyberheist. The release of private information suggests that Synnovis has refused to pay a ransom to Qilin to decrypt its systems and delete any stolen data.

Synnovis said that an analysis of the data was under way in conjunction with the NHS, the National Cyber Security Centre and other partners which “aims to confirm whether the data was taken from Synnovis’ systems and what information it contains”.

What data has been stolen?

The hackers have a huge cache of data they have stolen from Synnovis, which relates to about 300m separate patient interactions with the NHS going back an unspecified but large number of years, the Guardian has been told. The NHS has released no details of what this data includes. But it includes the results of blood tests patients have taken before having an operation, including cancer and transplant surgery, or because they had a suspected sexually transmitted infection or were being checked to see if they had HIV. Qilin’s haul also includes data showing the results of tests that patients have had in the course of being cared for and treated by, according to a well-placed source, “multiple private [healthcare] providers”.

The BBC reported on Friday that the data Qilin posted online overnight included patients’ names, dates of birth, NHS numbers and “descriptions of blood tests”.

How can I find out if my data has been taken?

It is unclear if and how patients can find out whether or not data relating to blood tests and other interactions they have had with the NHS has been stolen or already published online. In a statement NHS England said the National Crime Agency and National Cyber Security Centre were working to verify the data included in the published files, but the investigation was “highly complex” because the files were not “simple uploads” and their work could take weeks or longer to complete.

NHS England said it would update NHS patients on a dedicated webpage, adding that people with questions could also call an incident helpline on 0345 8778967.

How could that data be used?

Criminal gangs can deploy personal data leaked in ransomware attacks to carry out fraudulent activity such as luring people into phishing scams, where victims are tricked into handing over sensitive information such as passwords or clicking on a link that downloads malicious software.

“There is a risk that other cyber criminals will try to use personally identifying information in the leak for identify theft or to carry out phishing attacks,” said James Tytler, an associate at S-RM, a cybersecurity consultancy firm specialising in ransomware attack response.

NHS England said anyone contacted by someone who claimed to have their data should contact Action Fraud online or on 0300 123 2040. Suspicious emails should be sent to report@phishing.gov.uk or texts to 7726.

Can you seek compensation if you are affected?

People’s data is protected by UK GDPR, which requires that organisations keep secure any personal data they hold.

“Individuals who suffer damage or distress as a result of an organisation’s breach of the UK GDPR have the right to sue the organisation for compensation,” said Kate Brimsted, a partner at the UK law firm Bryan Cave Leighton Paisner.

However, Brimsted added that just because a hack had taken place and data had been taken it did not mean there had been a security failing on the part of the organisation involved.

“There will need to be a careful root-cause analysis and technical investigation before any question of UK GDPR breach or liability is known.”

Can the data be returned if a ransom is paid?

Data from the hack has already been published on an online messaging platform and could have been accessed by criminals. Publication usually signals that a ransom has not been paid, and the attackers will be moving on to their next victim.

Ciaran Martin, the former head of the National Cyber Security Centre, said paying a ransom for the data to be “deleted” did not work. A recent operation by the UK’s National Crime Agency against the LockBit ransomware gang found that the group had held on to data despite saying it would delete it after receiving a payment.

“We know from the National Crime Agency’s takedown of LockBit that the data is out there whether you pay or not,” he said.

Advertisement