Data Breach Notification,
Data Security,
Fraud Management & Cybercrime
Ransomware Attack on British Pathology Lab Disrupted Patient Care for Months
Following a ransomware attack that occurred in June 2024, a British pathology lab is now informing affected healthcare providers about the breach of patient data. This incident, which caused significant disruptions to healthcare services and contributed to blood shortages, has raised concerns over the security of sensitive patient information.
Pathology services firm Synnovis reports that it has finalized an intricate forensic analysis of the data compromised during the attack, affirming that notices will be sent out to providers by November 21. In accordance with U.K. regulations, these providers are tasked with notifying their patients if necessary.
Cybercriminals reportedly executed the attack in a haphazard manner, extracting data without targeting specific items, which complicates the analysis of the stolen files. Special mention has been made of the prolonged investigation required to regain clarity around the data taken in this chaotic breach—a process described as “painstaking” by Synnovis CEO Mark Dollar. Importantly, the firm disclosed that no essential lab database information was extracted during the assault.
According to U.K. data protection laws, each impacted healthcare organization must evaluate the information provided by Synnovis and determine any necessary notifications to affected patients. Synnovis has refrained from disclosing the number of healthcare providers or patients impacted by the breach.
The firm further explained its extensive data analysis process, stating that it employed client codes, ODS codes, and SAP coding where available to match stolen data with healthcare providers. In cases lacking these identifiers, forensic teams attempted manual mapping using file names and other references.
Impact of the Attack
Elements of personal information, including patient NHS numbers and names, were among the data compromised. A small subset of data even contained test results linked to individual patients, presenting serious risks in terms of privacy and security. Synnovis highlighted the complexity of interpreting this data due to its varied formats and partial information.
The attack, orchestrated by the Russian-speaking ransomware group Qilin, stands out as one of the most disruptive incidents in the healthcare sector outside the United States. This calculated attack significantly impacted nearly all IT systems at Synnovis, resulting in the cancellation of over 10,000 acute outpatient appointments and 1,700 elective procedures at several hospitals, including notable NHS trusts in London.
Despite restoring IT services by late fall last year, the repercussions of this cyberattack persisted, as the U.K. experienced shortages of O-negative blood types for months thereafter. There are concerning implications related to patient care, with National Health Service investigations linking the cyberattack to delays in critical blood test results.
In response to this incident, Synnovis has committed to enhancing its IT infrastructure security and has collaborated with NHS task forces to rebuild its applications from the ground up. The company has firmly stated that it did not pay any ransom, adhering to its ethical stance against funding cybercriminal enterprises that threaten public safety and privacy.
In analyzing this incident through the lens of the MITRE ATT&CK framework, potential tactics employed during the attack that merit attention include initial access mechanisms, exploitation of vulnerabilities, and exfiltration of data. By understanding these tactics, organizations can better prepare for future incidents.
