More than two weeks after a ransomware assault, pathology provider Synnovis reveals that ‘capacity to process samples has been significantly reduced’, as attackers claim to have published 400GB of data

The Russian cybercriminals alleged to have perpetrated a major ransomware attack impacting NHS services in London now claim to have published vast amounts of sensitive data.

The Qilin gang has reportedly released online 400GB of data gained during the attack earlier this month on pathology provider Synnovis, a joint venture between diagnostics firm Synlab and two major London NHS trusts: Guy’s and St Thomas’; and King’s College.

In a statement issued on Friday morning, NHS England said: “NHS England has been made aware that the cybercriminal group published data last night which they are claiming belongs to Synnovis and was stolen as part of this attack. We understand that people may be concerned by this and we are continuing to work with Synnovis, the National Cyber Security Centre and other partners to determine the content of the published files as quickly as possible. This includes whether it is data extracted from the Synnovis system, and if so whether it relates to NHS patients.”

As of this afternoon, the health service added that it has launched a helpline to answer questions from the public, and a web page has been created where updates will be posted “as we have further information about whether data has been leaked, and which data that is”.

Earlier in the week, Synnovis provided an update acknowledging that, two weeks on from the attack on 3 June, its capacity for processing blood work remains “significantly reduced” – with available resources being focused on the most urgent work.

“We have delivered temporary workarounds including the redirection of non-urgent blood tests and result processing to other pathology labs to allow us to focus on urgent samples received from GPs, to ensure there is sufficient capacity for urgent testing and to prioritise the most clinically urgent tests for acute patients being cared for by our NHS hospital partners,” it added.

Related content

• ‘Boots on the ground’ – NHS signs £3m in deals for cyber incident support
• Cybercriminals release ‘substantial amount’ of Scottish NHS data
• Cyber Security Week: Analysis – how and where are attackers getting in?

The pathology specialist revealed that its recovery efforts have “already brought our analysers back online, which is significant progress at this stage of the recovery process”.

The difficulties caused by the attack resulted in the NHS making an urgent plea for blood donations from those with type O blood – which can be safely used in all patients, minimising the need for pathology checks.

The NHS has created an FAQ page online to try and provide key information on the attack. The document outlines that, while some functionality will be recovered “in the weeks to come, full technical restoration will take some time, however, and the need to re-book tests and appointments will mean some disruption from the cyber incident will be felt over coming months”.

In the meantime, the health service is seeking to manage risks “by working as a team across hospitals and other NHS organisations… to make sure that as many patients are being seen as possible.

“Hospitals that are not affected by the attack are creating capacity to take patients from those who are, and London’s specialist clinical networks are offering mutual aid across areas such as cardiac surgery, renal surgery, maternity and specialist paediatrics,” the FAQ page added. “Teams are minimising risks as much as possible by focusing on the highest priority patients by clinical need. All tests are being triaged on arrival at the lab, so that the most clinically urgent are processed first. Synnovis is exploring opportunities to work with other laboratories in the local area as well as further afield to increase the number of tests which can be processed as quickly as possible. Synnovis is testing alternative IT arrangements so they can automate the reporting of tests results to reduce the amount of manual effort required.”

Claims that Qilin has now published the stolen data comes in the same week as about 150,000 people across southern Scotland were warned that they should assume they had been impacted by another recent ransomware attack on the NHS Dumfries and Galloway health board.