London hospital hackers release data on stolen blood tests

A gang of cybercriminals who have caused huge disruptions to many London hospitals have released sensitive data stolen from an NHS blood testing company.

Qilin has been trying to recover money from NHS provider Synnovis since they hacked the business on June 3.

The gang previously told the BBC they would release the data if they were not paid.

Overnight on Thursday, they shared nearly 400GB of private information on their darknet site and Telegram channel.

The data includes patient names, dates of birth, NHS numbers and descriptions of blood tests. It is not known if the test results are also in the data.

There are also commercial account tables detailing the financial arrangements between the hospitals and GP services and Synnovis.

The fallout from the Synnovis hack was one of the worst cyber-attacks ever seen in the UK, with more than 1,000 hospital and GP appointments and operations affected by the disruption to pathology services.

Ransomware hackers broke into the company’s computer systems used by two NHS trusts in London and encrypted critical information, rendering the IT systems useless.

As is common with these gangs, they also downloaded as much private data as possible to further extort bitcoin ransoms from the company.

It is not known how much money the hackers demanded from Synnovis, or whether the company entered into negotiations. But the fact that Qilin released some, potentially all, of the data means they didn’t pay.

Law enforcement agencies around the world regularly encourage victims of ransomware not to pay because it encourages criminal enterprise and does not guarantee that criminals will do what they promise.

Ransomware expert Brett Callow of Emsisoft said healthcare organizations were increasingly targeted because hackers knew they could do a lot of damage and sometimes get paid big.

“Cybercriminals go where the money is, and unfortunately that money is attacking healthcare. And because United Health Group reportedly paid $22 million [£17.3m] ransom earlier this year, the sector is more closely in the crosshairs than ever before,” he said.

On Tuesday night, Qilin spoke to the BBC about the encrypted messaging service and said they had deliberately targeted Synnovise as a way to punish the UK for not helping enough in an unspecified war.

Qilin, which has a well-established record of extortion attempts, claimed in this case that it carried out the cyber attack as a protest.

“We are very sorry for the people who suffered because of this. Hereby we do not consider ourselves guilty and ask you not to blame us in this situation. Blame your government.”

Qilin’s claims that he has an activist motive are mostly met with skepticism.

They leaked stolen data from other healthcare organisations, schools, companies and councils around the world on their darknet site for money.

The gang, which is believed to be based in Russia, like many ransomware crews, did not say where it was.

It said the British government “doesn’t give a penny to the lives of those fighting on the front lines of the free world”, echoing language used to describe Ukraine’s fight against the Russian invasion.

But it can also refer to Russian troops fighting against Ukraine.

The group says it has set out to target blood testing firm Synnovis, which is used by two London NHS trusts.

“Our citizens are dying in an unequal struggle due to lack of medicine and blood donations,” the statement said.

It would be unusual, but not unprecedented, for the Qilin hackers to be in Ukraine, where many alleged ransomware hackers have been arrested in recent months.

In Russia, it is very rare for hackers to be arrested because the government there refuses to cooperate with the demands of Western law enforcement agencies.

Qilin declined to be more specific about his political affiliation or geography “for security reasons”.