A cyber attack believed to have been carried out by a Russian group disrupted an NHS hospital’s IT network, forcing it to reinstate a long-abandoned paper record-keeping system in which blood test results are handed over by porters.
Guy’s and St Thomas’ Trust (GSTT) has reverted to using paper, rather than computers, to receive patients’ blood test results.
Synobis, the company that analyses blood tests for GSTT, is still working despite being hit by a major ransomware attack on Monday that caused serious problems for the NHS.
A clinical member of staff at GSTT said: “Since the attacks, Synnobis has had to print blood test results as they are received from laboratories based on the Guy’s and St Thomas’ Hospital sites.”
“The porters will collect the patients and carry them to the ward where the patients are admitted; [to the] The patient’s blood test results will be sent to the relevant department responsible for the patient’s care. The doctors and nurses involved in the patient’s care will analyze the blood test results and decide on the patient’s treatment accordingly.
“This is happening because a cyber attack means Synnovis’ IT department can’t communicate with our IT department. Normally blood test results are sent electronically, but that’s not possible at the moment.”
The revelation comes as details emerge about the impact of the latest hacking attack on the NHS, which Ciaran Martin, former chief executive of the National Cyber Security Centre, said was carried out by Russian cybercriminals.
The attack, believed to have been perpetrated by the Giraffe Gang, forced seven London hospitals run by GSTT and King’s College Trust, which provide acute and specialist care to two million people across six south-east London boroughs, to halt an undisclosed number of operations, blood tests and transfusions and declare a “major incident”.
The Guardian can now reveal that, despite previous denials, the hack also affected England’s largest mental health service provider, the South London and Maudsley (Slum) Trust.
In a letter to trust staff on Tuesday night, GSTT chief executive Professor Ian Abbs said the “very serious incident” was “significantly impacting on the service delivery of our trust, Kings Trust”. [trust] “Health and Primary Care Services in South East London”
Dozens of general practices in the region have also been affected in their ability to request blood tests and receive their results, sources said.
Mr Abs said a wider range of services were being affected beyond what the NHS had acknowledged. Referring to the slum trust, he added: “Other hospital, community and mental health services across the region are also being affected.”
Martin said the attack on Synobius had led to a “significant reduction in production capacity” and was a “very serious incident.”
Russia-based cyber hackers “have attacked car companies, they’ve attacked The Big Issue here in the UK, they’ve attacked courts in Australia. They’re just after the money,” he added.
Meanwhile, a leading IT security expert warned that the attack could have led to the “manipulation” of blood test results used by the NHS to treat patients.
John Clarke, professor of computer and information security at the University of Sheffield, said: “Patient safety is paramount and accuracy of results is essential, so it is important to stress that we cannot guarantee the accuracy of any stored data unless we know what has happened to the system.”
“It is not possible to determine whether the stored data has been manipulated and it may be necessary to rerun tests and re-record the results.”
They warned that hackers could also cause chaos by targeting NHS trust booking systems.
Clarke said that many of the functions previously performed by government agencies have been outsourced to companies, making them more vulnerable to cyber hacks. “Many services are outsourced to government agencies, including the NHS,” he said. “These connections to external systems dramatically increase the number of attack surfaces into the delivery of those services and the systems that deliver those services.”
A separate source confirmed to the Guardian that Kirin Group was the attacker. Synobis also has contracts with other NHS trusts across the country, but there appear to be no signs the attack has spread.
Martin said the attack appears to have been designed to be as disruptive as possible in order to secure the ransom.
“This certainly appears to be a targeted operation aimed at inflicting damage on the other side and making them pay a price,” he said.
The technology company behind Synnovis, Munich-based Synlab, was hit by a ransomware attack in April by another group known as BlackBasta, but does not appear to have paid the ransom. Ransomware gangs typically extract data from victims’ IT systems and demand payment in return for it.
Last month, data from the hack of SynLab’s Italian branch was published online in full, showing that no ransom was paid. In the UK, it is not illegal to pay a ransom to a ransomware group, but it is illegal for a victim organisation to pay a ransom if they know or suspect that the proceeds will be used to fund terrorism.
Martin said most ransomware groups are not directly influenced by the Russian government, but operate within Russia.
“Most of these groups are hosted and tolerated by Russia, but they are not state-sponsored. Russia is a huge haven for cybercrime,” he said.
Qilin is known as a Ransomware-as-a-Service group, which rents out malware to fellow criminals in exchange for a cut of the revenue, then vets who gets targeted.
Victims of ransomware attacks paid a record $1.1 billion to attackers last year, double the 2022 total, according to cryptocurrency research firm Chainalysis.
Ransomware gangs typically demand payment in cryptocurrency, which is easy to move across borders and hard to trace through certain exchanges. Average ransomware payouts have risen 500% in the past year to $2 million (£1.6 million), according to British cybersecurity firm Sophos.
