London hospitals hackers publish stolen blood test data

A gang of cyber criminals causing huge disruption to multiple London hospitals has published sensitive data stolen from an NHS blood testing company.

Qilin has been trying to extort money from NHS provider Synnovis since they hacked the firm on 3 June.

The gang previously told the BBC they would be publishing the data unless they got paid.

Overnight on Thursday they shared almost 400GB of the private information on their darknet site and Telegram channel.

The data includes patient names, dates of birth, NHS numbers and descriptions of blood tests. It is not known if test results are also in the data.

There are also business account spreadsheets detailing financial arrangements between hospitals and GP services and Synnovis.

The fallout from the Synnovis hack has been one of the worst cyber-attacks ever in the UK with more than 1000 hospital and GP appointments and operations affected by the disruption to pathology services.

The ransomware hackers infiltrated the computer systems of the company used by two NHS trusts in London and encrypted vital information making IT systems useless.

As is often the case with these gangs, they also downloaded as much private data as they could to further extort the company for a ransom payment in Bitcoin.

It is not known how much money the hackers demanded from Synnovis or if the company entered negotiations. But the fact Qilin has published some, potentially all, of the data means they did not pay.

Law enforcement agencies around the world regularly urge victims of ransomware not to pay as it fuels the criminal enterprise and does not guarantee that the criminals will do as they promise.

Ransomware expert Brett Callow from Emsisoft said healthcare organisations were increasingly being targeted as the hackers knew that they could cause a lot of harm and sometimes get a big pay day.

“Cybercriminals go where the money is and, unfortunately, the money is in attacking the healthcare sector. And since United Health Group reportedly paid a $22m [£17.3m] ransom earlier this year, the sector is more squarely in the crosshairs than ever before,” he said.

On Tuesday night Qilin spoke to the BBC on an encrypted messaging service and said they had deliberately targeted Synnovis as a way to punish the UK for not helping enough in an unspecified war.

Qilin, which has a well-established record of attempting to extort money, claimed in this instance it had carried out a cyber-attack as a protest.

“We are very sorry for the people who were suffered because of it. Herewith we don’t consider ourselves guilty and we ask you don’t blame us in this situation. Blame your government.”

Qilin’s claims of having an activist motive are largely being met with scepticism.

On their darknet site they have leaked stolen data from other healthcare organisations, schools, companies and councils around the world for money.

The gang, which is thought to be based in Russia, like many ransomware crews, would not say where it was.

It said the UK government “don’t even put a penny on the lives of those who fight on the front edge of free world”, which is reminiscent of language used to describe Ukraine’s fight against Russia’s invasion.

But it might also refer to Russian troops fighting against Ukraine.

The group says it chose to attack blood test firm Synnovis, which is used by two London NHS trusts, deliberately.

“Our citizens are dying in unequal combat from a lack of medicines and donor blood," it said.

Researchers have previously said, external Qilin posted adverts for hackers to join its criminal service in Russian.

It would be unusual but not unprecedented for Qilin hackers to be in Ukraine, which has seen many alleged ransomware hackers arrested in recent months.

It is very rare for hackers to be arrested in Russia as the government there refuses to co-operate with Western law enforcement requests.

Qilin refused to be more specific about its political allegiance or geography "for security reasons".