Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Russian cyber criminals behind hospital ransomware attack, says former security chief

Two major NHS trusts were targeted as cyber criminals attacked blood test systems

Jane Kirby,Rebecca Thomas
Wednesday 05 June 2024 07:55 EDT
A Russian group of cyber criminals is behind the ransomware attack affecting major London hospitals, an expert has said (Myung Jung Kim/PA)
A Russian group of cyber criminals is behind the ransomware attack affecting major London hospitals, an expert has said (Myung Jung Kim/PA) (PA Archive)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A Russian cyber crime group is behind the ransomware attack impacting major London hospitals, the former chief executive of the National Cyber Security Centre has claimed.

Ciaran Martin said the attack on pathology services firm Synnovis has led to a “severe reduction in capacity” and “it’s a very, very serious incident”.

Hospitals declared a critical incident and have cancelled operations and tests, and been unable to carry out blood transfusions.

Memos to NHS staff at King’s College Hospital, Guy’s and St Thomas’ (including the Royal Brompton and the Evelina London Children’s Hospital) and primary care services in the capital said there had been a “major IT incident”.

Sources told The Independent on Tuesday hospitals have had to cancel major operations such as transplants, and were facing big delays in turning around emergency tests in A&E.

Guy’s and St Thomas’ Hospital is among those affected by the cyber attack (Georgie Gillard/PA)
Guy’s and St Thomas’ Hospital is among those affected by the cyber attack (Georgie Gillard/PA) (PA Archive)

Asked on BBC Radio 4’s Today programme whether it is known who attacked Synnovis, Mr Martin said: “Yes. We believe it is a Russian group of cyber criminals who call themselves Qilin.

“These criminal groups – there are quite a few of them – they operate freely from within Russia, they give themselves high-profile names, they’ve got websites on the so-called dark web, and this particular group has about a two-year history of attacking various organisations across the world.

“They’ve done automotive companies, they’ve attacked the Big Issue here in the UK, they’ve attacked Australian courts. They’re simply looking for money.”

The National Cyber Security Centre has been approached for comment.

The former chief said it is “unlikely” the Russian hackers would have known they would cause such serious primary healthcare disruption.

He added: “There are two types of ransomware attack. One is when they steal a load of data and they try and extort you into paying so that isn’t released, but this case is different. It’s the more serious type of ransomware where the system just doesn’t work.

“So, if you’re working in healthcare in this trust, you’re just not getting those results so it’s actually seriously disruptive.”

He said the Government has a policy of not paying but the company would be free to pay the ransom if it chose to.

Regarding patient data, he said: “It’s not really a question of data in this one, it’s a question of the services.

“The criminals are threatening to publish data, but they always do that. Here the priority is the restoration of services.”

Synnovis is a provider of pathology services and was formed from a partnership between SynLab UK & Ireland, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust.

Emails to staff yesterday seen by The Independent revealed King’s College Hospital staff were told all non-emergency operations were to be postponed or patients redirected to other NHS hospitals.

NHS officials said they are working with the National Cyber Security Centre to understand the impact of the attack.

Synnovis said the incident has been reported to law enforcement and the Information Commissioner.

Health Secretary Victoria Atkins said on Wednesday that her “absolute priority is patient safety”.

On social media site X, formerly Twitter, Ms Atkins wrote: “Throughout yesterday I had meetings with NHS England and the National Cyber Security Centre to oversee the response to the cyber attack on pathology services in south-east London.

“My absolute priority is patient safety and the safe resumption of services in the coming days.”

The Health Service Journal (HSJ) reported one senior NHS manager saying: ”It’s everyone’s worst nightmare.

“The difficulty will be that when you have total system downtime, the volumes of tests will be huge. Even if you could transport samples around London to other labs how would you get the results back as they are not integrated in that way?

“Urgent tests will have to be managed onsite. They will no doubt be asking GPs to send urgent tests only, to manage volumes.”

Synnovis said on Wednesday it was unable to comment further on the attack.

A spokesman for NHS England London region said on Tuesday that Monday’s incident was “having a significant impact” on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trust and primary care services in south-east London.

“We are working urgently to fully understand the impact of the incident with the support of the Government’s National Cyber Security Centre and our cyber operations team.”

Synnovis chief executive Mark Dollar said a taskforce of IT experts from Synnovis and the NHS was working to fully assess the impact and what action is needed.

“Regrettably, this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised, ” he said.

A Russian group of cyber criminals is behind the ransomware attack affecting major London hospitals, an expert has said (Myung Jung Kim/PA)
A Russian group of cyber criminals is behind the ransomware attack affecting major London hospitals, an expert has said (Myung Jung Kim/PA) (PA Archive)

One patient, Oliver Dowson, 70, was prepared for an operation from 6am on Monday 3 June at the Royal Brompton Hospital when he was told by a surgeon at about 12.30pm that it would not be going ahead.

He told the PA news agency: “The staff on the ward didn’t seem to know what had happened, just that many patients were being told to go home and wait for a new date.

“I’ve been given a date for next Tuesday and am crossing my fingers – it’s not the first time that they have cancelled, they did it on 28 May too, but that was probably staff shortages in half-term week.”

Vanessa Welham, from Streatham, south-west London, said her husband’s blood test at Gracefield Gardens health centre was cancelled on Monday evening and he was informed that local centres were not taking bookings for an “indefinite period of time”.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in