Patient care organizations have unfortunately become a very popular target for ransomware gangs in recent years. The danger of that trend has been illustrated once again by a recent cyber attack on London hospitals, caused by an attack on a shared pathology lab that had been previously identified as a cybersecurity risk.
Bloomberg obtained internal documents from the Guy’s and St Thomas NHS Foundation Trust board of directors that indicates, as recently as January of this year, the members were discussing the risk level of various contractors and their observed shortcomings in cybersecurity posture. Synnovis, the pathology lab that fell victim to the recent cyber attack, was among those names.
While the discussions indicate that London hospitals are well aware that they are now prime targets for cyber attacks and have been beefing up their internal defenses accordingly, they still have limited ability to push third-party vendors into similarly protecting sensitive information.
Cyber attack delayed critical surgeries, struck heavy blow to blood supply
Synnovis has acknowledged the incident but is yet to confirm the cyber attack or provide any details on how it happened. Third-party security analysts have attributed it to a Russian cyber gang, but the presence of ransomware was clear just from the devastating effect it has had on London hospitals throughout the month of June.
Board members of the involved trusts appeared to have been anticipating and fearing exactly this scenario for years now, going by the documents leaked to Bloomberg reporters. Cybersecurity issues with vendors such as Synnovis appear to be endemic, a situation that is not unfamiliar to many different industries.
London hospitals had good reason to fear vendor compromise of this nature. The crippling of the shared pathology lab is thus far estimated to have caused over 1,100 operations to be rescheduled, about 200 of those involving an emergency or critical issue. And NHS England has said that full recovery should not be expected for months.
In addition to disrupting operations and blood transfusions, the cyber attack has also resulted in some 400 GB of patient information being dumped to the dark web. This appears to mostly consist of basic patient information attached to blood tests, but does include descriptions of the tests in connection with patient NHS numbers and birth dates. Some of Synnovis’s internal financial information was also apparently stolen and leaked. Potentially impacted patients may not have a full picture of what was leaked for some weeks as the National Crime Agency and National Cyber Security Centre continue to investigate.
London hospitals could be looking at months-long recovery time
The cyber attack on Synnovis began on June 3 and the full scope of impacted London hospitals includes those overseen by Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospitals NHS Trust, and South London and Maudsley NHS Foundation Trust. Medical testing firm SYNLAB, Europe’s largest, is also impacted. General practitioners in about half a dozen London boroughs are also feeling the effects.
Qilin, a ransomware-as-a-service provider thought to be based in Russia, is the apparent culprit behind the cyber attack. The group has been active since at least mid-late 2022 and has previously mostly pursued smaller fish, though may now be “leveling up” as some of its larger counterparts are being picked off by law enforcement operations.