Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Investigation into cyber attack ‘could take weeks’, says NHS England

Russian group Qilin attacked Synnovis, which provides pathology services to NHS trusts and GP services, primarily in south-east London, on June 3.

Jane Kirby
Friday 21 June 2024 12:51 EDT
A website and helpline has been set up for patients affected by the ransomware attack (Dominic Lipinski/PA)
A website and helpline has been set up for patients affected by the ransomware attack (Dominic Lipinski/PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

It could take weeks to complete investigations into a cyber attack affecting hospitals in London, with some patients needing to undergo repeat tests, NHS England has said.

A website and helpline has been set up for patients affected by the ransomware attack on NHS provider Synnovis, which happened on June 3.

Russian group Qilin attacked Synnovis, which provides pathology services to NHS trusts and GP services, primarily in south-east London.

These files are not simple uploads and so investigations of this nature are highly complex and can take weeks if not longer to complete

NHS England

Hundreds of operations and appointments are still being cancelled two weeks after the incident.

NHS England said in a statement on Friday that investigations into what happened could take weeks.

It said: “NHS England has been made aware that a cyber criminal group published data last night which they are claiming belongs to Synnovis and was stolen as part of this attack.

“The National Crime Agency and National Cyber Security Centre are working to verify the data included in the published files as quickly as possible.

“We understand that people may be concerned by this and as more information becomes available through Synnovis’ full investigation, the NHS will continue to update patients and the public.

“A helpline has been set up and is available to answer questions …

Patients should continue to attend scheduled appointments and access urgent care as normal.”

Full technical restoration will take some time, and the need to re-book tests and appointments will mean some disruption from the cyber incident will be felt over coming months

NHS England

The webpage is digital.nhs.uk/news/synnovis-cyber-incident and contains the most up-to-date information for patients.

Anyone who wishes to speak to somebody can call 0345 8778967.

NHS England said the National Crime Agency and National Cyber Security Centre “are working to verify the data included in the files published by the criminals”.

It added: “These files are not simple uploads and so investigations of this nature are highly complex and can take weeks if not longer to complete.”

Synnovis still have a copy of the data encrypted in the incident, and so historic test results will be available to clinicians once the IT systems are restored

NHS England

Any unprocessed blood samples were made safe by Synnovis after the incident and stored in their labs.

But NHS England said, due to the time that had now lapsed, some of these samples were no longer suitable for analysis and would need to be discarded.

“Synnovis is working with the NHS trusts and GP practices to determine which samples are affected and the process for informing patient,” it said.

“We understand the distress this will cause patients who have to re-test.

We know how worrying this development may be for many people. We are taking it very seriously and an analysis of this data is already under way

Synnovis

“Synnovis have also put additional resources in place to ensure that urgent samples received from GP practices or hospitals can still be processed within appropriate time frames.

“Synnovis still have a copy of the data encrypted in the incident, and so historic test results will be available to clinicians once the IT systems are restored.”

Synnovis is now understood to be focused on the technical recovery of the system, with plans in place to begin restoring some functionality in its IT system in the weeks to come.

“Full technical restoration will take some time, and the need to re-book tests and appointments will mean some disruption from the cyber incident will be felt over coming months,” NHS England added.

According to the BBC, Qilin shared almost 400GB of data – including patient names, dates of birth, NHS numbers and descriptions of blood tests – on their darknet site and Telegram channel.

Spreadsheets containing financial arrangements between hospitals and GP services and Synnovis were also published, the BBC reported.

Synnovis, in a statement on Friday, said: “We know how worrying this development may be for many people. We are taking it very seriously and an analysis of this data is already under way.”

Between June 10-16, the second week after the attack, more than 320 planned operations and 1,294 outpatient appointments were postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust.

The number of rearranged planned operations had gone down by 494 since the first week after the attack, June 3-9, but the number of missed outpatient appointments had increased by 394.

We are aware data has been published and we are working closely with partners from the National Cyber Security Centre, NHS England and others to understand its impact and provide support

NCA spokesperson

The total so far was 1,134 planned operations and 2,194 outpatient appointments postponed, according to NHS England London figures.

Urgent and emergency services have remained available as usual.

Meanwhile, an NCA spokesperson said: “The National Crime Agency is leading the criminal investigation into a recent cyber incident affecting hospitals.

“We are aware data has been published and we are working closely with partners from the National Cyber Security Centre, NHS England and others to understand its impact and provide support.

“As our investigation is in its early stages, we are unable to comment further at this time.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in