South Africa national lab says ransomware recovery to last until mid-July

South Africa’s National Health Laboratory Service (NHLS) is pledging to have some systems back online by the middle of this month following a ransomware attack in June. 

A spokesperson for NHLS said they were not at liberty to make any new comments about the situation and referred Recorded Future News to a statement made on July 3, which gave a restoration estimate of mid-July.  

The NHLS said on Monday that the statement still stands. But in the meantime, the agency has had to take a range of steps to deal with outages in disseminating test results to physicians across the country. 

Providing test results to clinics is “still a challenge” because officials still have not been able to restore WebView — a portal where doctors and nurses could login and see automatically generated test results. 

Now, all urgent test results are delivered over the phone to health officials. The organization has also sent out a list of “critical tests” to all health facilities in an effort to “limit the volume of test requests, allowing laboratories to cope with the workload.” They reiterated that the list “does not imply that routine tests will not be performed.”

“The breach has endangered the safety and well-being of millions of public health patients,” NHLS CEO Koleka Mlisana said in the statement. 

The outages have stymied critical efforts to deal with several concurrent health crises — mpox, HIV and tuberculosis.

“We have come up with innovative ways of making TB and HIV viral load historical test results available to clinicians. More tests, prioritizing those on the critical test list, will be made available,” Mlisana said. 

The NHLS — which runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country’s nine provinces — was plunged into chaos on June 22 when a ransomware gang began deleting large sections of the agency’s system, including backup servers.

The Cape Independent estimated that NHLS handles the diagnostic tests for about 80% of South Africa’s population — and added that there are over 6.3 million unprocessed blood tests. Without these tests, major operations have been postponed. 

“We can’t register new samples, we’re doing that manually. We also can’t get results loaded after analysis. We’re now printing the manual results out, attaching them to request forms and phoning these out,” Mlisana told Health E-News last week, adding that she was not aware of any deaths caused by the outage.

“In addition, we are in the process of developing an electronic registration system for registering new samples and providing test results electronically. Access to laboratory results will be the same as the historical TB and HIV viral test results.”

The NHLS noted that it has opened a case with the South African Police Service and notified regulators about the data breach. 

Last week, the BlackSuit ransomware gang took credit for the attack, claiming to have stolen 1.2 terabytes of data on the operations of the business, employees, patients and more. They said NHLS had not responded to their attempts to issue a ransom and instead “provoked the media.”

The group allegedly called members of Mlisana’s staff and a South African reporter to demand a ransom payment and deny that they intended to cause casualties. 

The ransomware gang caused similar havoc over the last two weeks with its attack on a prominent car dealership system. BlackSuit is a rebrand of the Royal ransomware group that launched a devastating attack on the city government of Dallas last year.