This site is intended for health professionals only

Cyber criminals publish alleged NHS patient data

Cyber criminals publish alleged NHS patient data
By Eliza Parr
24 June 2024

The perpetrators of a recent cyber-attack on a pathology laboratory have published data which they claim belongs to NHS patients.

NHS England is investigating this as a ‘matter of extreme urgency’ to determine the content of the files and establish whether NHS patients have been affected, but this investigation could ‘take weeks if not longer’ to complete.

Synnovis, a provider of lab services for a group of London hospitals, was the ‘victim of a ransomware cyberattack’ which caused ‘interruptions’ to its pathology services on 3 June.

NHS England’s London branch said the cyber attack had a ‘significant impact’ on services at Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trust, as well as primary care services in south east London.

Lewisham and Greenwich NHS Trust warned that the ‘majority’ of GP-requested pathology tests are ‘postponed until further notice’. 

South East London ICB said earlier this week that GP referrals have been ‘significantly impacted’, with only urgent referrals being accepted for blood sciences. 

The majority of planned activity has been able to go ahead, but so far over 1,100 elective procedures and almost 2,200 outpatient appointments have been postponed across two London hospital trusts. 

In the latest update, a spokesperson for NHS England said it had been ‘made aware that the cyber criminal group published data last night which they are claiming belongs to Synnovis’.

They said: ‘The National Crime Agency and National Cyber Security Centre are working to verify the data included in the published files as quickly as possible.

‘We understand that people may be concerned by this and as more information becomes available through Synnovis’ full investigation, the NHS will continue to update patients and the public on this webpage.’

NHS England acknowledged that ‘full technical restoration’ of Synnovis’ pathology services ‘will take some time’, and disruption ‘will be felt over the coming months’.

Dr Gavin McColl, a GP partner and PCN clinical director in South East London, said it is ‘natural’ that the focus is on secondary care procedures such as C-sections or blood transfusions, but warned that the impact on primary care has been ‘huge’ and ‘profound’. 

He highlighted that general practice is ‘heavily reliant’ on blood tests for both acute and long-term care, as well as medication monitoring. 

There are concerns that the delay to long-term condition management, which is usually happening ‘constantly’ at GP practices, is storing up a large backlog – ‘I can’t stress enough the extent of the backlog that’s going to happen,’ Dr McColl warned.

He said the current prediction is that labs will not be fully operational again until the end of September, while he expects the ‘dust will not settle on this for a year’.

Dr McColl has also found that ‘surprisingly’, many of his patients are not aware of the cyber-attack, which means it is ‘labour-intensive’ explaining the delays to patients each time. 

Once patients become aware that patient data has potentially been shared, he said he would imagine ‘they will come at us with a lot of intensity’.

‘One of the concerns we’ve got is that it seems – I don’t know if this is fact – but it seems that that data may include the indications for tests, so that’s where you may be describing someone’s personal situation in order to justify the blood test – that’s something we’re very worried about,’ Dr McColl added.

NHS England has acknowledged to GP practices that they may be facing more queries from worried patients, but it is not yet known whether the published files contain real NHS data. 

Dr Clare Gerada, a GP partner for the Hurley Group which has practices in South East London, highlighted that the ‘big problem isn’t now’, it will be the ‘knock-on effect’ for practices with QOF and CQC. 

She said: ‘If we can’t do our monitoring tests for all the patients – diabetes, hypertension, cholesterol – now, then the backlog is just going to cause serious problems. 

‘It’s QOF, it’s CQC – it’s the knock-on effects of this as well as the issues about our patients, it’s how are we going to do routine monitoring for them? Because we can’t be doing thousands of them once things get back to normal.’

Londonwide LMCs said it is seeking ‘urgent clarification’ on whether patient data has been shared, and highlighted the importance of both GPs and patients having ‘confidence that patient information remains confidential’.

‘Until we receive assurances that this is the case, there will be significant concerns among practices across London,’ deputy CEO Dr Lisa Harrod-Rothwell said.

She also said there must be a ‘strong focus on cyber security’ given the various data sharing projects being rolled out across the NHS.

Earlier this week, Londonwide LMCs said it was working with South East London ICB to ‘ensure that critical and urgent samples from general practices are prioritised’.

They are also working to secure ‘mutual aid’ from other areas to allow investigations for routine medical care and referrals.

The disruption is affecting all GPs across South East London, and is expected to ‘continue for a number of months’, according to a statement from the LMCs. 

Responding to news of the alleged publication of patient data, a spokesperson for Synnovis said: ‘We know how worrying this development may be for many people. We are taking it very seriously and an analysis of this data is already underway.

‘This analysis, run in conjunction with the NHS, the National Cyber Security Centre and other partners, aims to confirm whether the data was taken from Synnovis’ systems and what information it contains.’

According to a BBC report, the group of cyber criminals – Qilin – tried to extort money from Synnovis, and the publication of data means the company did not pay.

The group, which is thought to be based in Russia, spoke with the BBC via an encrypted messaging service, claiming that the attack on Synnovis was a way to punish the UK for not helping enough in an unspecified war.

NHS England advice to patients

  • Continue to attend appointments unless you have been asked not to
  • Be alert to approaches from anyone claiming to have your data and to any other suspicious calls or emails, particularly if you are asked to provide personal or financial data 
    • If you are contacted by someone who makes these claims, contact Action Fraud 
  • There is no suggestion the criminals have gained access to NHS emails, but as a reminder, you will not receive any unexpected contact from the NHS asking for personal or financial information 
  • Check the NHS website for up to date information about the cyber incident and whether individuals’ data has been stolen and released
  • If you need to speak to someone about your questions, call the incident helpline on 0345 8778967

Source: NHS Digital

A version of this story was first published on our sister title Pulse.

Want news like this straight to your inbox?

Related articles