The government is considering striking back against Russian hackers who have stolen records covering 300m patient interactions with the NHS, including the results of blood tests for HIV and cancer, the Guardian can reveal.
The National Crime Agency (NCA) is weighing up the possibility of taking retaliatory action against Qilin, the Russian-based ransomware gang who put into the public domain early on Friday a huge tranche of highly sensitive NHS records they stole in a cyber-attack on 3 June.
Health service bosses in London, where the hack was focused, have responded to the widespread alarm that Qilin’s action has caused by setting up a helpline to answer queries from anxious patients.
They have urged patients who may have had details of care they received from the NHS trusts and GP surgeries affected in south-east London to “not contact your local hospital or GP practice to ask whether your data has been impacted by this attack as they do not hold this information”.
Qilin’s action, which was an indication its demand for a reported $50m (£40m) ransom had been ignored, has prompted discussions between the NCA and the National Cyber Security Centre (NCSC) about how to respond. The government’s communications centre, GCHQ, is thought to be aware of the conversations.
A source with knowledge of the options being explored said: “There’s a specialist [NCA] team behind the scenes working to access, understand and remove the data if possible.”
The NCA is contemplating taking action to remove as much of the data as possible that Qilin put on a messaging platform in the early hours of Friday morning, the source added. “That’s being investigated and what’s possible. [Action is likely because] it’s effectively an attack on the state.”
Cybersecurity sources said the impact of any operation to reclaim the data, or take it down, could be lessened if the Qilin gang had already copied the files and was able to post them elsewhere.
UK law enforcement has set a precedent for taking on ransomware gangs directly. The gangs represent a challenge for authorities because they are known to operate out of Russia or former Soviet states.
However, the NCA recently disrupted the operations of the world’s largest ransomware outfit – the LockBit group – in a joint operation with international partners.
In February the agency said it had seized the entire “command and control” apparatus for LockBit, including the leak site where it displayed victims’ hacked data. The operation also took control of the infrastructure behind LockBit’s ransomware-as-a-service operation, in which affiliates lease out the malicious software, or malware, that infiltrates and disables victims’ computer systems.
The operation was carried out jointly with the FBI, Europol and a coalition of international police agencies and led to the unmasking of the gang’s alleged leader, the Russian national Dmitry Khoroshev.
The Guardian disclosed on Friday that the hackers had stolen far more data than previously thought. They obtained records covering 300m patient interactions with the NHS, including the results of blood tests for HIV and cancer.
The attack has caused serious disruption for seven hospitals run by King’s College hospital foundation trust and Guy’s and St Thomas’ foundation trust, two of the health service’s biggest and busiest care providers. Qilin targeted Synnovis, a private/NHS joint venture that provides pathology services such as blood tests and transfusions. It is unclear at this stage if the hack involved only hospitals in those trusts or was more widespread, as Synnovis also undertakes work for other NHS trusts elsewhere in England.
The two trusts had to cancel 1,134 planned operations, including cancer and transplant surgery, and postpone 2,194 outpatient appointments in the first 13 days alone after the attack, NHS England’s London region said on Thursday.
It is as yet unclear exactly what data, or how much of the haul, the ransomware group has made public. But well-placed sources said the stolen data included details of the results of blood tests conducted on patients having many types of surgery, including organ transplants; on those suspected of having a sexually transmitted infection; and on those who had had a blood transfusion.
In a statement on Friday, NHS England said the NCA and NCSC were “working to verify the data included in the files published by the criminals. These files are not simple uploads and so investigations of this nature are highly complex and can take weeks, if not longer, to complete.”
skip past newsletter promotion
after newsletter promotion
However, the amount and sensitive nature of the data obtained by Qilin , as well as the gang making public at least some of what it took, has caused alarm among NHS bosses.
NHS England said, in a warning that patients could now be targeted by criminals seeking a ransom: “You should always be alert to approaches from anyone claiming to have your data and to any other suspicious calls or emails, particularly if you are asked to provide personal or financial data.”
Anyone who is contacted in relation to their NHS data should immediately call Action Fraud, it added.
The NHS’s “incident helpline” went live on Friday and is available on 0345 8778967.
In addition, in a development that will cause anxiety among patients who have received private healthcare in recent years, Qilin’s haul is understood to include records of tests that people have had at multiple private healthcare providers. It is not clear which private healthcare firms Synnovis – a joint venture between the pathology firm Synlab and the two London acute hospital trusts – works for and if they include operators of the capital’s array of private hospitals.
The NHS is working hard to shift what care it can to other providers and has managed over the last week to increase the amount of blood tests it can do from 10% of the usual number to 30%.
The fact that Qilin has locked Synnovis out of its own IT system means the hospitals and GP surgeries affected, which care for 2 million patients, are still having to severely ration access to blood tests. They can only do 30% of their usual numbers.
Tim Mitchell, a senior researcher at the cybersecurity company Secureworks, said the data-posting signalled that the negotiation period had ended. “For the most part, by the time the data has been leaked the ransomware negotiations are generally over,” he said.
Synnovis has not confirmed whether it has held talks with Qilin.