Data on nearly 1 million NHS patients leaked online following ransomware attack on London hospitals

People with symptoms of sensitive medical conditions, including cancer and sexually transmitted infections, are among almost a million individuals who had their personal information published online following a ransomware attack that disrupted NHS hospitals in London earlier this year, according to an analysis shared with Recorded Future News.

The examination by CaseMatrix, a company that works with legal firms to support claimants in data breach lawsuits, is the first public assessment of how many individuals might be affected by the cyberattack. CaseMatrix says more than 900,000 individuals have been caught up in the extortion attempt.

Neither NHS England nor the directly impacted pathology service provider Synnovis — both of whom are legally responsible for protecting patients’ information — have provided their own counts of people impacted by the cyberattack. On its website, Synnovis says it doesn’t know exactly what data was compromised nor who it relates to.

The stolen data, which was published in June by the Qilin ransomware gang, includes requests for appointments as well as for pathology and histology tests. It features in many cases details of symptoms for sensitive medical conditions that patients may not yet know have been exposed.

In a statement sent to Recorded Future News, Synnovis described its investigation into the incident as “advanced [and] ongoing” and said its work “involves interrogation of the published data to identify whether and to what extent any patient or employee data is affected.”

This work is ongoing more than three months after the initial incident. During the intervening period, Synnovis has been busy attempting to replace its critical pathology services. The impact of the cyberattack on blood testing has severely reduced blood stocks across the United Kingdom, leaving hospitals on the brink of limiting blood transfusions to only the most critical patients. There is still an urgent call for people with O negative and O positive blood types to donate blood.

While the company last week announced having successfully rebuilt the majority of its core IT systems and recovered its diagnostic services, the delay has meant that individuals whose data was compromised in the attack have not been provided with even a preliminary warning about the sensitivity of what has been exposed.

As analyzed by CaseMatrix, this data includes names, dates of birth, NHS numbers, and in some cases personal contact details, alongside pathology and histology forms that are used to share patient details between medical departments and institutions. The forms often describe symptoms of intimate and private medical conditions. 

In the entire dataset released by Qilin, CaseMatrix was able to identify 1.29 million entities that correspond to individual people. The company said its analysis typically had a 2-3% error rate, and accounting for this and the automated removal of duplicate entities — some of which will not be true duplicates — CaseMatrix was confident there remained in excess of 900,000 people affected by the breach.

In its statement, Synnovis said: “We are not in a position to comment on or confirm the validity or accuracy of analysis carried out by other parties, nor can we verify whether the data examined by these parties is in fact related to this incident.”

The company said its “investigation timeframe, in keeping with the scale and scope of such an incident, is commensurate with the time required to thoroughly conclude which individuals or organisations have been impacted” and pledged to “communicate with the relevant, impacted stakeholders” as “soon as it is appropriate and responsible to do so.”

According to Information Commissioner’s Office data, there has been a surge in ransomware attacks against organizations in the health sector in the first half of this year, with the sector now accounting for more than 12% of all reported breaches caused by cyber extortionists. 

There were 55 ransomware incidents reported to the regulator between January and June of 2024, 36 of them involving the hackers stealing patients’ data. The numbers are a significant increase on the 33 reports recorded across the entirety of 2023, when only 12 involved patient data being compromised.

Last month, Synnovis obtained a preliminary injunction from the English High Court against the Qilin ransomware group, as well as Telegram and another leak site, intended to prevent publication of the stolen data — alongside an “anti-hacking injunction” ordering Qilin not to access Synnovis’ IT systems.

While such injunctions are rare in the United Kingdom — particularly because the defendants are usually based in unknown or unfriendly jurisdictions and as such resistant to enforcement actions — they can offer legal teams a mechanism to notify platforms such as Telegram as well as ISPs to demand the removal of hacked data.

In its statement, Synnovis said it took the move “to reassure patients and our employees” and “limit the misuse of the stolen data.”

Following this injunction, the Telegram channel used by Qilin to distribute the data no longer appears to be active.