The government is considering hitting back at Russian hackers who have stolen records covering 300 million patient interactions with the NHS, including blood test results for HIV and cancer, The Guardian can reveal.
The National Crime Agency (NCA) is weighing up whether to retaliate against Qilin, the Russia-based ransomware gang that released into the public domain early on Friday a huge cache of highly sensitive NHS records they stole in a cyber attack on June 3.
Health service chiefs in London, where the attack was centered, have responded to widespread alarm over Qilin’s action by setting up a helpline to answer queries from anxious patients.
They have urged patients who may have had details of the care they received from NHS trusts and GP surgeries affected in south-east London to “not contact your local hospital or GP to ask if “Your data has been affected by this attack just like they do.” do not retain this information.”
Qilin’s action, which was an indication that his demand for a $50m (£40m) ransom had been ignored, has sparked discussions between the NCA and the National Cyber Security Center (NCSC) over how reply. The government’s communications centre, GCHQ, is believed to be aware of the talks.
A source with knowledge of the options being explored said: “There is a specialist team (NCA) behind the scenes working to access, understand and delete the data if possible.”
The NCA is considering taking steps to remove as much data as possible that Qilin put on a messaging platform in the early hours of Friday morning, the source added. “This is being investigated and what is possible. (It is likely that action will be taken because) it is effectively an attack on the State.”
Cybersecurity sources said the impact of any operation to recover the data, or delete it, could be reduced if the Qilin gang had already copied the files and been able to publish them elsewhere.
UK law enforcement has set a precedent by taking on ransomware gangs directly. The gangs pose a challenge to authorities because they are known to operate from Russia or former Soviet states.
However, the NCA recently disrupted the operations of the world’s largest ransomware group, the LockBit group, in a joint operation with international partners.
In February, the agency said it had seized all of LockBit’s “command and control” apparatus, including the leak site where it displayed victims’ hacked data. The operation also took control of the infrastructure behind LockBit’s ransomware-as-a-service operation, in which affiliates rent malicious software or malware that infiltrates and disables victims’ computer systems.
The operation was carried out jointly with the FBI, Europol and a coalition of international law enforcement agencies and led to the unmasking of the gang’s alleged leader, Russian national Dmitry Khoroshev.
The Guardian revealed on Friday that hackers had stolen much more data than previously thought. They obtained records covering 300 million patient interactions with the NHS, including blood test results for HIV and cancer.
The attack has caused serious disruption at seven hospitals run by King’s College Hospital Trust and Guy’s and St Thomas’ Trust, two of the health service’s largest and busiest care providers. Qilin pointed to Synnovis, a private/NHS joint venture that provides pathology services such as blood tests and transfusions. It is unclear at this time whether the attack involved just hospitals in those trusts or was more widespread, as Synnovis also works for other NHS trusts elsewhere in England.
The two trusts had to cancel 1,134 planned operationsincluding cancer and transplant surgery, and postponing 2,194 outpatient appointments in the first 13 days alone after the attack, the London region of NHS England said on Thursday.
It is still unclear exactly what data, or how much of the loot, the ransomware group has made public. But well-placed sources said the stolen data included details of the results of blood tests carried out on patients undergoing many types of surgery, including organ transplants; about those suspected of having a sexually transmitted infection; and about those who had received a blood transfusion.
In a statement on Friday, NHS England said the NCA and NCSC were “working to verify the data included in the files published by criminals. These files are not simple uploads, so investigations of this nature are very complex and can take weeks, if not longer, to complete.”
However, the amount and sensitive nature of the data obtained by Qilin, as well as the fact that the gang has made public at least some of what it took, has caused alarm among NHS bosses.
NHS England said, in a warning that patients could now be targeted by ransom-seeking criminals: “You should always be alert to approaches from anyone claiming to have your details and any other suspicious calls or emails, particularly if you are being contacted. asks you to provide personal or financial data.”
Anyone contacted in relation to their NHS data should immediately call Action Fraud, he added.
The NHS “incident helpline” went live on Friday and is available on 0345 8778967.
Furthermore, in a development that will cause anxiety among patients who have received private healthcare in recent years, the Qilin haul is understood to include records of tests people have had at multiple private healthcare providers. It is unclear which private healthcare companies Synnovis – a joint venture between pathology company Synlab and London’s two acute hospital consortia – works for and whether they include operators of the capital’s range of private hospitals.
The NHS is working hard to shift what care it can to other providers and over the last week has managed to increase the number of blood tests it can carry out from 10% of the usual number to 30%.
The fact that Qilin has excluded Synnovis from its own IT system means that the affected hospitals and GP surgeries, which care for 2 million patients, are still having to severely ration access to blood tests. They can only do 30% of their usual numbers.
Tim Mitchell, a senior researcher at cybersecurity firm Secureworks, said the data release indicated the trading period was over. “For the most part, by the time data is leaked, ransomware negotiations are usually over,” he said.
Synnovis has not confirmed whether it has held talks with Qilin.