Hackers behind cyber attack ordered by judge to return stolen NHS patient data
15 August 2024, 12:54
A ransomware gang targeted pathology services provider Synnovis on June 3.
Hackers responsible for a cyber attack that led to more than 10,000 NHS appointments being cancelled have been ordered by a High Court judge to “unmask” themselves and return or delete stolen data.
Pathology services provider Synnovis was targeted by Russian cyber gang Qilin on June 3, with hackers reportedly obtaining confidential medical information and blood test results of more than 100,000 patients, the court was told.
The ransomware attack saw appointments cancelled at two London NHS trusts and prompted a warning that parts of the NHS’s IT system are “out of date” and at risk of further attacks.
In a written ruling on Thursday, Mrs Justice Stacey said she had granted Synnovis’s bid for an interim injunction seeking to prevent the release of stolen data.
The judge’s temporary order against “persons unknown” requires the hackers to provide their full names and addresses to allow for legal documents to be served on them.
Mrs Justice Stacey also said it was “plainly just and convenient” for the order to include “a prohibition preventing further unauthorised access of the claimant’s IT systems by the defendants – a so-called anti-hacking injunction” to help prevent more attacks.
Synnovis’s case was considered at a hearing in London last month, which the judge said was held in private due to discussions over “the theft of confidential, highly personal medical information”.
The BBC has reported that the Qilin gang has carried out “criminal hacks for extortion purposes of a range of public and private services and companies since 2022”, the judge was told.
After the Synnovis cyber attack, which saw a ransom note left on its IT systems, Qilin told the broadcaster it took responsibility.
The information obtained was the “commercially sensitive, private and… confidential” medical records of patients at the Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust, the court was told.
Some data was released via the Telegram messaging platform on June 20, while a post of information and a statement was published on a website called “Wikileaksv2” on June 27.
Telegram had not responded to a request to remove information, while Wikileaksv2 is feared to be a “clone site” under the control of hackers, the judge heard.
Mrs Justice Stacey said there was “a real risk that further unauthorised, damaging disclosures” could be made.
“The defendants have come into possession of the claimant’s confidential information or property through criminal and unlawful actions,” the judge added.
“It has done so for the purpose of commercial gain. It is engaging in extortion.
“The claimant has established that publication of the information should not be allowed and that its use should be restricted.”
The judge continued: “I am also satisfied that the defendants must identify themselves – their actions appear unlawful and it appears that they are seeking to hide their identity behind a cloak of anonymity and an organisation, Qilin, which has no legal identity.”
According to the BBC, Qilin shared almost 400GB of data, including patient names, dates of birth, NHS numbers and descriptions of blood tests, on its darknet site and Telegram channel.
Earlier this month, NHS England London said a total of 10,001 acute outpatient appointments and 1,680 elective procedures had been cancelled across the two trusts.
It said more than 60 IT systems used in laboratories have been rebuilt, or are in the process of being rebuilt, with capacity increasing.
