Update: NHS England has confirmed that the cyber criminal group thought to be behind the attack is claiming to have released data that they say belongs to Synnovis and was stolen as part of the attack.
And the BBC is reporting that a sample of the data seen by it includes patient names, dates of birth, NHS numbers and descriptions of blood tests.
The Russian ransomware as a service group claiming to be behind the attack on London pathology provider Synnovis are demanding $50 million, by far the highest ransom demanded in Europe since the HSE cyberattack in 2021.
Synnovis is still working to bring its systems back online since the June 3 attack, which affected urgent and non-urgent pathology testing at Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, as well as general practices in the area.
The Qilin ransomware group has claimed credit for the attack. Bloomberg reported that an alleged spokesperson for the group said they had ceased contact with Synnovis after failing to receive any ransom payment following the expiration of a 120-hour deadline.
In an update this week, Synnovis said its capacity to process samples was still significantly reduced as a result of the incident.
“We have delivered temporary workarounds including the redirection of non-urgent blood tests and result processing to other pathology labs to allow us to focus on urgent samples received from GPs,” the company said.
“Changes to processing of testing and results are being communicated directly to GPs and other service users to ensure a smooth transition.
“Synnovis is firmly focused on restoring services to our patients and users and working closely with NHSE and external specialists on technical recovery. We are delivering against a comprehensive plan which prioritises both clinical criticality and the safe and secure restoration of services.”
Synnovis has not specified which systems were directly affected by the attack. The provider uses a laboratory information management system (LIMS) from Epic, which provides the electronic patient record (EPR) system for Guy’s, along with the BloodTrack just-in-time blood management solution, but internal documents leaked to the Sunday Times show these were not affected.
The blood transfusion laboratory, however, could not access the Clinisys WinPath IT system.
A Synnovis spokesperson told the Information Security Media Group that it was aware of reports that an unauthorised third party has claimed responsibility for the attack.
“Our investigation into the incident remains ongoing, including assessing the validity of the third party’s claims and the nature and scope of the data that may be impacted.”
Irish cybersecurity expert Brian Honan of BH Consulting told ISMG that the ransom demand was “extraordinarily and unusually high”, especially compared to the 2021 attack against the HSE, which featured a $21 million ransom demand.
“Normally, ransomware demands are at a level that the criminals know the victim organisation can pay,” Mr Honan said. “This demand for $50 million could simply be a publicity stunt by the criminals in order to raise their notoriety amongst future victims as they know by demanding this high extortion fee they will get a lot of media attention, particularly in mainstream media outlets.”
