A Russian cyber-attack has forced London NHS hospitals to resurrect long-discarded paper records systems in which porters hand-deliver blood test results because IT networks are disrupted.
Guy’s and St Thomas’ hospitals trust (GSTT) has gone back to using pieces of paper, rather than messages passed between computers, to receive the outcome of blood tests involving their patients.
Synnovis, which analyses blood tests for GSTT, is still undertaking that work, despite being hit on Monday by a large-scale ransomware attack that has caused serious problems for the NHS.
A GSTT clinical staff member said: “Since the attack, Synnovis have had to print out the blood test results when they get them from their laboratories, which are on site at Guy’s and St Thomas.
“Porters collect them and take them up to the ward where that patient is staying or [to the] relevant department which is in charge of their care. The doctors and nurses involved in their care then analyse them and decide on that person’s treatment, depending on what the blood test shows.
“This is happening because Synnovis’s IT can’t communicate with ours due to the cyber-attack. Usually blood test results are sent electronically, but that’s not an option just now.”
The disclosure came as more details emerged about the impact of the latest hacking incident to hit the NHS, which Ciaran Martin, the former chief executive of the National Cyber Security Centre, said had been perpetrated by a group of Russian cybercriminals.
The attack, thought to be by the Qilin gang, has forced seven London hospitals run by GSTT and King’s College trust to cancel undisclosed numbers of operations, blood tests and blood transfusions, and declare a “critical incident”. Between them the trusts provide acute and various forms of specialist care for 2 million people across six boroughs in south-east London.
The Guardian can reveal that – despite previous denials – the hack has also affected the South London and the Maudsley (Slam) trust, England’s largest provider of mental health services.
Prof Ian Abbs, GSTT’s chief executive, said in a letter to trust staff on Tuesday evening that the “very significant incident” was having “a major impact on the delivery of services at our trust, King’s [trust] and primary care services within south-east London”.
Dozens of GP surgeries across the region have also had their ability to request blood tests and receive the results affected, sources say.
Abbs said that a wider range of services has also been affected, beyond those which the NHS previously acknowledged. “It is also affecting other hospital, community and mental health services across the region,” he added, making a reference to the Slam trust.
The attack on Synnovis had led to a “severe reduction in capacity” and was a “very, very serious incident”, said Martin.
Russian-based cyber hackers have “done automotive companies, they’ve attacked the Big Issue here in the UK, they’ve attacked Australian courts. They’re simply looking for money”, he added.
Meanwhile, a leading expert in IT security has warned that the attack could mean that blood test results which the NHS is using to guide patients’ care have been “manipulated”.
John Clark, a professor of computer and information security at the University of Sheffield, said: “Patient safety is of paramount concern and the accuracy of results is essential, so it is important to stress that unless it is known what has happened to the system, the accuracy of any stored data cannot be ensured.
“Determining whether stored data has been manipulated may simply not be possible and tests may have to be rerun and results re-recorded.”
Hackers could also cause mayhem for NHS trusts by targeting their appointments booking systems, he warned.
The outsourcing to companies of more and more functions previously undertaken by government departments and agencies has increased the latter’s vulnerability to cyber-hacking, he said. “Many services are outsourced by government agencies, including the NHS,” Clark said. “Connectivity with such external systems radically increases the number of entry points for attack on services provision and the systems that combine to provide them.”
A separate source also confirmed to the Guardian that the Qilin group was the assailant. It is understood there is no indication of the attack having spread, despite Synnovis having contracts with other NHS trusts around the country.
Martin said that the attack appeared to have been made as disruptive as possible in an attempt to secure a ransom.
“It does look like a targeted operation, designed to hurt so they would have to pay up,” he said.
However, the tech company behind Synnovis, Munich-based Synlab, was hit by a ransomware attack in April from a different group – known as BlackBasta – and does not appear to have paid a ransom. Typically, ransomware gangs extract data from the victim’s IT system and demand a payment for its return.
Data from the hack of Synlab’s Italian branch was published online in full last month, indicating that no ransom payment had been made. It is not illegal in the UK to pay ransomware gangs, although it is against the law to pay ransoms if the affected entity knows or suspects the proceeds will be used to fund terrorism.
Martin said most ransomware gangs operate within Russia, albeit without direct influence from the Russian state.
“Most of these groups are Russian-hosted and tolerated, but not directed by the state. Russia is a giant safe haven for cybercrime,” he said.
Qilin is known as a ransomware-as-a-service group, meaning it hires out malware to fellow criminals in exchange for a cut of the proceeds and also vets who is targeted.
Last year victims of ransomware attacks paid out a record $1.1bn to assailants, according to the cryptocurrency research firm Chainalysis, double the 2022 total.
Ransomware gangs typically demand payment in cryptocurrency, which they find easier to move across international boundaries and can be less traceable if certain exchanges are used. The average ransomware payment over the past year has risen 500% to $2m (£1.6m) according to Sophos, a British cybersecurity company.
