A Russian cybercriminal group was behind the ransomware attack affecting major London hospitals, the former director general of the National Cyber Security Center has said.
Ciaran Martin said the attack on pathology services firm Synnovis had led to a “significant reduction in capacity” and that “this is a very, very serious incident”.
Following the attack, hospitals declared a critical situation, canceled surgeries and tests, and were unable to perform blood transfusions.
Notes sent to NHS staff at King’s College Hospital, Guy’s and St Thomas’s (including the Royal Brompton and Evelina London Children’s Hospital) and primary care services in the capital said there had been a “major IT incident”.
Asked on BBC Radio 4’s Today program whether it was known who attacked Synnovis, Mr Martin said: “Yes. We believe it is a Russian cybercriminal group calling themselves Qilin.
“These criminal groups – they are quite numerous – operate freely in Russia, give themselves high-profile names, have websites on the so-called dark web, and this group has about two… Annual history of attacks on various organizations around the world.
“They blamed the auto companies, they attacked the Big Problem in the UK, they attacked the Australian courts. They’re just looking for money.”
He said it was “unlikely” Russian hackers knew they would cause such a serious disruption to essential healthcare services when they launched the attack.
He added: “There are two types of ransomware attacks. The first is when they steal a bunch of data and try to force you to pay to keep that data from being exposed, but this case is different. It is the more serious type of ransomware in which the system does not work.
“So if you’re working in that trust in healthcare, you’re not going to get those results, so that’s really seriously disruptive.
“This type of ransomware has impacted healthcare around the world.
“This is particularly harmful in the United States, and where these types of cyberattacks differ from others in terms of their impact is that they impact people’s healthcare. “So this is truly one of the most serious situations we’ve seen in this country.”
He said the government had a policy of not paying, but the company would be free to pay the ransom if it wanted.
Regarding patient data, he said: “The issue here is not actually a data issue, it is a service issue.
“Criminals threaten to release the data, but they do it all the time. “The priority here is to restore services.”
Synnovis is a provider of pathology services and was formed from a partnership between SynLab UK and Ireland, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust.
Some procedures and operations in hospitals have been canceled or diverted to other NHS providers as hospital bosses determine what work can be done safely.
NHS officials said they were working with the National Cyber Security Center to understand the impact of the attack.
Synnovis said the incident had been reported to law enforcement and the Information Commissioner.
Health Minister Victoria Atkins said on Wednesday her “absolute priority is patient safety”.
Ms Atkins wrote on social media site X, formerly Twitter: “I held meetings with NHS England and the National Cyber Security Center throughout yesterday to oversee the response to the cyber attack on pathology services in south-east London.
“My absolute priority is patient safety and the safe resumption of services in the coming days.”
The Health Service Journal (HSJ) reported a senior NHS manager as saying: “This is everyone’s worst nightmare.
“The challenge is that testing volumes will be huge if the whole system remains down. Even if you can move samples to other laboratories around London, how do you get the results back because they’re not integrated that way?”
“Emergency testing will need to be managed on site. “They will no doubt ask GPs to only send urgent tests to manage volumes.”
Another source told HSJ that the attack poses a huge problem for urgent and urgent care in hospitals as they will not be able to access quick-result blood test results.
Synnovis said Wednesday it could not comment further on the attack.
A spokesperson for the NHS England London region said on Tuesday that Monday’s incident had a “significant impact” on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trust and primary care in south-east London.
“We are working urgently, with the support of the government’s National Cyber Security Center and our cyber operations team, to fully understand the impact of the incident.”
Synnovis chief executive Mark Dollar said a task force of IT experts from Synnovis and the NHS was working to fully assess the impact and what action was required.
“Unfortunately, this is impacting patients; some activities have already been canceled or diverted to other providers as urgent work is prioritized,” he said.
The patient, 70-year-old Oliver Dowson, was prepared for surgery at the Royal Brompton Hospital from 6am on Monday, June 3, and at around 12.30pm, a surgeon told him that the surgery would not go ahead.
He told the PA news agency: “Staff on the ward didn’t seem to know what was happening, just that many patients were told to go home and wait for a new date.
“I was given a date for next Tuesday and to my surprise, this is not the first time they have cancelled, they did this on May 28th as well, but this was probably due to staff shortages during the half-term break.”
Vanessa Welham, from Streatham, south-west London, said her husband’s blood test at Gracefield Gardens health center was canceled on Monday evening and she was informed local centers were not taking bookings for an “indefinite period”.
According to HSJ, a senior source said pathology results could take “weeks, not days” to be available.