Ransomware gang leak 400GB of NHS data from London hospital hack

Hackers who launched a ransomware attack on London hospitals have published sensitive patient data stolen from an NHS blood testing partner.

The cyber-criminal gang Qilin have shared almost 400GB of confidential information stolen from the NHS provider Synnovis across their darknet site.

The Russian gang hacked Synnovis – a partnership between London hospital trusts and Synlab – on June 3 and have been trying to extort money from the NHS provider ever since. The gang had demanded upward of $50 million from Synnovis not to release the data.

Synnovis said: “We know how worrying this development may be for many people. We are taking it very seriously and an analysis of this data is already underway.”

The hack led NHS officials to call a critical incident after pathology services in King’s College Hospital, Guy’s and St Thomas’ and other trusts were rendered unusable by the hack.

The leaked data includes patient names, dates of birth, NHS numbers and blood test results, though it has yet to be confirmed by NHS England that the data is legitimate.

An NHS England statement said: “We understand that people may be concerned by this and we are continuing to work with Synnovis, the National Cyber Security Centre and other partners to determine the content of the published files as quickly as possible. This includes whether it is data extracted from the Synnovis system, and if so whether it relates to NHS patients.”

The hack resulted in more than 3,000 hospital and GP appointments, and operations facing delay or cancellation.

Darren Guccione, CEO and co-founder at Keeper Security, said the breach “highlights the critical need to prioritise robust cybersecurity measures in the healthcare sector.”

“Healthcare institutions must adopt a zero-trust architecture and enforce least-privilege access, ensuring employees have access only to the information necessary for their roles,” he added.

“Comprehensive security event monitoring and the use of Privileged Access Management (PAM) solutions are essential to safeguard privileged accounts, secure credentials and enforce strong enterprise password management.

Moreover, organisations should implement rigorous incident response plans and regular cybersecurity training to quickly identify and mitigate threats.”

With the number and complexity of ransomware attacks on the rise, law enforcement agencies across the globe regularly urge victims not to pay because it perpetuates the criminal enterprise, without guaranteeing the hackers will delete or return data even when paid.

However, the Synnovis hack highlights the risk of failing to pay, with gangs often willing to publish sensitive data online with no regard for privacy or safety.

Graeme Stewart, Head of Public Sector at Check Point Software, said the breach highlights a “concerning trend” that is increasingly threatening public sector organisations.

He added: “This incident also highlights the general reluctance to pay for restoration. Public sector bodies adhere to policies of non-engagement with ransom demands, reflecting a broader stance against rewarding criminal behaviour.

“While this principled approach is understandable, it also underscores the importance of robust cybersecurity measures to prevent attacks in the first place, as relying on post-attack solutions is neither feasible nor desirable.”