Full Report
A cybercrime group's attack against a London-based pathology service last year was one of the "contributing factors" in the death of a patient, U.K. officials said.
Analysis Summary
# Incident Report: Qilin Ransomware Attack on Synnovis Pathology Services
## Executive Summary
In June of last year, the Qilin cybercrime group executed a ransomware attack against Synnovis, a London-based pathology service supporting multiple NHS hospitals, leading to severe disruptions in critical care services, including blood testing. The most severe consequence reported was the death of at least one patient, attributed partly to delays in receiving necessary blood test results. The attack impacted over 900,000 individuals' data, which was subsequently leaked by the threat actors.
## Incident Details
- **Discovery Date:** Not explicitly stated, but attack occurred in June (last year).
- **Incident Date:** June (last year).
- **Affected Organization:** Synnovis (Pathology Service supporting NHS hospitals in London).
- **Sector:** Healthcare (NHS).
- **Geography:** London, UK.
## Timeline of Events
### Initial Access
- **Date/Time:** June (last year).
- **Vector:** Ransomware deployment by the Qilin cybercrime group.
- **Details:** The specific initial access vector is not detailed in the source, but it resulted in system compromise sufficient to disrupt pathology services.
### Lateral Movement
- Not explicitly detailed, but the attack achieved widespread disruption across associated NHS trusts, indicating successful internal network movement.
### Data Exfiltration/Impact
- **Data Exfiltration:** Data belonging to over 900,000 individuals was exfiltrated and later published by the attackers. This included personal details (names, dates of birth, NHS numbers) alongside sensitive pathology and histology forms.
- **Operational Impact:** Severe disruption to blood testing speeds across multiple NHS hospitals. This led to critically low blood stocks as universal donor types were prioritized due to limits on matching capability.
### Detection & Response
- **Detection:** A "critical incident" was declared by the affected trusts.
- **Response actions taken:** Hospitals were forced to use alternative, universal blood products, leading to severe constraints on transfusion capabilities. A patient safety review was initiated following the reported patient death related to delayed test results. Synnovis stated that data breach investigation is nearing completion, with plans to update affected individuals soon.
## Attack Methodology
- **Initial Access:** Ransomware deployment (Qilin group).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Implied by widespread disruption to pathology services across multiple interconnected trusts.
- **Collection:** Pathology and histology forms, patient names, dates of birth, and NHS numbers.
- **Exfiltration:** Publication of leaked patient data.
- **Impact:** Operational downtime, critical service limitations (blood transfusions), and patient harm resulting in at least one confirmed death.
## Impact Assessment
- **Financial:** Not estimated in the provided text.
- **Data Breach:** Data belonging to over 900,000 individuals exposed, including PII (names, DOBs, NHS numbers) and sensitive medical records (pathology/histology results, some revealing STI/cancer status).
- **Operational:** Severe disruption to pathology services, forcing hospitals to conserve blood stocks and limit non-critical transfusions.
- **Reputational:** Significant negative publicity for Synnovis and the NHS regarding data security and patient safety standards.
## Indicators of Compromise
- **Network indicators - defanged:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Ransomware activity causing systemic failure of pathology processing systems.
## Response Actions
- **Containment measures:** Not explicitly detailed beyond the declaration of a critical incident. Operational changes were made, such as switching to universal blood stocks.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Investigation into the security incident is nearing completion. The NHS has issued subsequent calls for blood donations due to lingering low stock levels.
## Lessons Learned
- Cyberattacks on critical healthcare infrastructure can have direct, fatal consequences for patients (clinical harm).
- Delays in processing essential diagnostic data (like blood tests) can significantly impact patient mortality rates.
- Data breach notification processes for highly sensitive public sector data (like NHS) need significant improvement, as affected patients had not been informed a year later.
## Recommendations
- Implement robust, layered defense strategies specifically targeting ransomware prevention (e.g., enhanced endpoint detection and response, strong multi-factor authentication).
- Develop and rigorously test comprehensive downtime procedures (analog/paper-based workflows) capable of maintaining critical patient services (like blood cross-matching) when digital systems fail.
- Establish clear, legally mandated timelines and standardized processes for notifying nearly one million affected individuals following a major healthcare data breach.