Full Report
A cyberattack on London hospitals last year led to the depletion of stocks of crucial O-type blood, and the U.K.'s National Health Service is calling for a nationwide effort to shore up supplies.
Analysis Summary
# Incident Report: Synnovis Ransomware Attack and NHS Blood Supply Disruption
## Executive Summary
A significant ransomware attack, attributed to the group Qilin, targeted Synnovis, a pathology services provider for parts of the UK's National Health Service (NHS) in London. The attack severely disrupted pathology services, forcing hospitals to over-rely on O-type blood, leading to national blood stock shortages and urgent public appeals for donations. Furthermore, the attack resulted in the confirmed exfiltration of sensitive patient data belonging to nearly one million individuals.
## Incident Details
- Discovery Date: Not explicitly stated, but impact was noted when pathology services were disrupted throughout the following year.
- Incident Date: Occurred sometime prior to the subsequent urgent blood donation calls (last year).
- Affected Organization: Synnovis (pathology services provider), impacting several London healthcare organizations across the NHS.
- Sector: Healthcare (Public Health Services)
- Geography: United Kingdom (London)
## Timeline of Events
### Initial Access
- Date/Time: Not specified, occurred "last year."
- Vector: Ransomware deployment (attributed to group Qilin).
- Details: Attack targeted Synnovis, disrupting pathology services critical to multiple London hospitals.
### Lateral Movement
- Details: Implied movement and privilege escalation required to execute the ransomware and access data for exfiltration, though internal movement details by the threat actor were not specified.
### Data Exfiltration/Impact
- Date/Time: Following encryption/disruption, data was published online by the threat actor.
- Details: Data of over 900,000 individuals was stolen, including names, DoBs, NHS numbers, contact details, and highly sensitive pathology/histology forms detailing conditions like cancer and STIs.
### Detection & Response
- Date/Time: Shortly after the event, an urgent call for blood donations was issued. Subsequent calls continued several months later.
- Details: Hospitals experienced an inability to quickly match blood types, leading to excessive depletion of O-type blood stocks. An "amber alert" status was issued, limiting blood availability to only the most critical transfusions. The ICO requires organizations to inform data subjects about breaches, especially involving sensitive medical data.
## Attack Methodology
- Initial Access: Ransomware deployment (Qilin group implicated).
- Persistence: Not specified, but likely established persistence to achieve data exfiltration prior to detonation.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Implied internal reconnaissance to identify and exfiltrate valuable patient data.
- Lateral Movement: Implied necessary movement within the Synnovis environment to impact linked hospital pathology services.
- Collection: Gathering pathology and histology forms, along with standard PII.
- Exfiltration: Publishing stolen patient information online as part of extortion efforts.
- Impact: Operational disruption (pathology services shutdown) and major data breach (PII and sensitive medical records).
## Impact Assessment
- Financial: Not specified, but significant operational costs associated with system recovery and ongoing investigation.
- Data Breach: Over 900,000 individuals impacted. Data included Names, Dates of Birth, NHS Numbers, contact details, and highly sensitive medical information (cancer, STI reports).
- Operational: Severe disruption to pathology services, forcing hospitals to manage blood supplies conservatively, leading to an extended national blood stock fragility and urgent donation drives (Red Alert threat).
- Reputational: Significant negative impact on the trust in the NHS and Synnovis regarding data security and service continuity.
## Indicators of Compromise
- Network indicators: N/A (Defanged, as specific IPs/URLs related to command and control or drop zones were not provided).
- File indicators: N/A (Specific malware hashes or file names were not provided).
- Behavioral indicators: Ransomware activity, external publishing of stolen data, systemic disruption of medical pathology services.
## Response Actions
- Containment measures: Not detailed, but essential containment of the active ransomware/network segmentation would have been an immediate priority.
- Eradication steps: Not detailed, but this would involve cleansing affected systems and ensuring the threat actor was removed.
- Recovery actions: Ongoing investigation (eDiscovery) by Synnovis; NHS Blood and Transplant initiating massive public appeals for blood donations to stabilize national stocks.
## Lessons Learned
- Criticality of clinical dependencies: The attack highlighted the dangerous dependency of clinical services (blood matching) on a single, external pathology provider (Synnovis).
- Data breach notification lag: Investigation complexity resulted in significant delays in notifying affected patients about the extent of their exposed sensitive data.
- Blood stock vulnerability: Relying on universal blood types (O+) during system failures rapidly depletes critical emergency reserves.
## Recommendations
- Strengthen supply chain risk management: Implement rigorous security standards and redundancy for critical third-party pathology and IT service providers interacting with patient data.
- Enhance resilience for critical functions: Develop and frequently test offline/manual procedures for core clinical functions (like blood typing) that can operate without reliance on compromised digital pathology systems.
- Improve patient notification protocols: Establish clearer, rapid timelines for notifying affected individuals following the discovery of a high-risk data breach involving sensitive medical information, even if the full scope is under investigation.