Hospitals in London had to cancel almost 1,600 operations and outpatient appointments in the first week after being hit by a Russian cyber-attack, the NHS has disclosed.
The two major acute hospital trusts in the capital that were worst affected postponed 832 surgical procedures between Monday 3 June, when the hack began, and Sunday 9 June.
They included cancer surgery, organ transplants and planned caesarean sections as well as heart procedures, bariatric surgery on obese patients and hip and knee replacements.
King’s College and Guy’s and St Thomas’ trusts also had to rearrange 736 appointments for patients who were due to see a consultant specialising in their condition during that time.
NHS England’s London region, which has been coordinating the response to the cyber strike, released the figures on Friday in its first detailed statement about the major disruption that the hack is causing at GSTT, King’s and four other trusts, which together care for 2 million people.
In the attack, the Russian-based Qilin criminal gang infiltrated the IT system of the pathology specialist Synnovis and in effect locked it out by encrypting its files, making them inaccessible. Synnovis is a joint venture between the NHS and the private firm Synlab to provide pathology services that are vital to the NHS’s smooth running, such as blood tests.
The impact of the attack is so serious that 18 organs, mainly kidneys, that would usually have been used in transplants at King’s had to be given instead to other hospitals.
Dr Chris Streather, NHS London’s medical director, said: “There is no doubt that the ransomware cyber-attack on Synnovis is having a significant impact on services in south-east London, with hundreds of appointments and procedures being postponed. While staff are working round the clock to mitigate the impact and Synnovis is working to recover its IT system, we expect disruption to be felt for some time.”
Streather’s comment appears to corroborate the warning earlier this week from a senior NHS source who told the Guardian that it would be “many months” before the NHS bodies affected got back to normal service.
St George’s hospital, a few miles away in south-west London, has been playing a key role in “mutual aid” arrangements that the NHS has began putting in place. It has taken some very sick and complicatedly unwell patients needing what it described as “major life-changing surgery”, who GSTT and King’s would usually have looked after, including heart patients.
It remains unclear whether Qilin has stolen patient data alongside the disabling of Synnovis’s systems. Ransomware attacks, including those carried out by Qilin, typically involve a victim’s computer systems being encrypted as well as data being stolen in a process known as double extortion.
NHS England said investigations were “continuing to establish any possible impact to data”, indicating that it is unclear whether patient information has been taken.
As of Friday evening, Qilin had not posted data from the Synnovis hack on its extortion site on the dark web. Such postings are normally an indication that data has been stolen but a ransom for its return has not been paid, with the publication of stolen information deployed as a blackmail negotiation tactic.
The absence of such a post raises the possibility that data was not taken during the attack, with the locking up of Synnovis’s systems being the main source of damage. Ransomware assailants also demand payment, usually in cryptocurrency, for the unlocking of files it has encrypted with malicious software or malware.
Ciaran Martin, a former head of the UK’s National Cyber Security Centre, said the Qilin incident was one of the worst cyber-attacks the country had ever experienced.
“In terms of its impact on vulnerable people, this is one of the worst and most distressing cyber incidents ever seen in the UK,” he said.
Freddy Jenkins, an associate at S-RM, a cybersecurity consultancy firm specialising in ransomware attack response, said establishing whether data had been stolen in the wake of an incident could be “challenging”, with investigators “limited by the data that is available for analysis”.
He added: “Ransomware groups are also increasingly taking steps to frustrate the investigative process by destroying evidence and covering their tracks.”
