Russian Hack on London Hospitals Under Investigation Amid Concerns of Patient Data Breach

The investigation into a recent ransomware attack on London hospitals by the Russian group Qilin is expected to take several weeks. The attack has significantly impacted services, leading to repeated tests for some patients. The National Health Service (NHS) has confirmed that the breach, affecting King’s College and Guy’s and St Thomas’ hospital trusts, has resulted in a significant data dump of patient records online.

NHS England revealed that data from the attack, including nearly 400GB of patient information such as names, birth dates, and blood test descriptions, was published on Qilin’s darknet site and Telegram channel. This incident has been classified as a “critical incident” due to its major impact, especially on blood transfusion services.

The National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) are actively working to verify the leaked data, but the complexity of the investigation means it could take weeks or longer. The Guardian reported that the stolen records cover 300 million patient interactions, including sensitive tests for HIV and cancer.

To support affected patients, a dedicated website and helpline have been established. NHS England expressed understanding of the distress caused to patients needing to retake tests. The NCA is leading the criminal investigation but has not provided further comments at this stage.

Ransomware attacks, which involve locking computer systems until a ransom is paid, are increasingly common and disruptive, targeting various sectors including healthcare. The 2017 ransomware attack on the NHS highlighted the vulnerabilities in the system, causing widespread disruption.

Qilin, also known as Agenda, is notorious for leasing malware to affiliates for a share of the ransom. The group has claimed over 100 victims. The recent attack on Synnovis, a pathology service provider in southeast London, has resulted in the cancellation of numerous operations and appointments, more than two weeks after the initial breach on June 3.