London Hospitals Knew of Cyber Vulnerabilities Years Before Hack
A group of London hospitals struggling to contain the fallout from a cyberattack against a critical supplier had known for years about weaknesses that left them vulnerable to hacks, according to documents reviewed by Bloomberg News.
The Guy’s and St Thomas’ NHS Foundation Trust, which runs five major hospitals in the London area, has failed to meet the UK health service’s data security standards in recent years and acknowledged as recently as April that “cybersecurity remained a high risk” to its operations, according to publicly available documents that outline board of directors’ meetings.
In January, the board of directors raised questions about the security of digital links between hospital computer systems and those of third-party companies.
Related: London Hospitals Postpone Some Operations After Cyberattack
Hackers last week brought down the trust’s pathology services provider, Synnovis, with severe knock-on effects at hospitals. Doctors have, among other things, been forced to delay medical operations, postpone blood tests and resort to handwritten records. The attack has disrupted blood services so drastically that medical facilities are asking the public for donations, and one hospital is calling on its own staff to contribute.
The April report proposed an audit to identify where improvements could be made. It’s not clear if improvements took place before the hack on June 3, or whether the vulnerabilities identified in the board of directors’ reports — which include dated IT systems and hardware devices — had any bearing on the ransomware infection at Synnovis.
“The trust takes cybersecurity very seriously and this includes arrangements with third parties,” Guy’s and St Thomas’ NHS Foundation Trust said in a statement. “We are working closely with partners to fully understand how this hack happened.” The trust declined to comment on the cybersecurity warnings raised prior to the attack.
UK-based Synnovis is jointly owned by Synlab UK & Ireland and two publicly funded NHS trusts – Guy’s and St Thomas’ NHS Foundation Trust and the King’s College Hospital NHS Foundation Trust – that run several hospitals in London and Kent.
The hack on Synnovis has primarily affected patients of Guy’s Hospital, St Thomas’ Hospital, King’s College Hospital and primary care in southeast London, Bloomberg News has reported.
The impact of the breach is ongoing.
Electronic patient records are still accessible to doctors, according to a blood transfusion specialist who works with multiple hospitals in London, who spoke on condition of anonymity as they weren’t authorized to share information with the media.
But a software tool that Synnovis uses to transfer blood test results into patient records is no longer functioning because of the attack, leaving an information blind spot that has caused major disruption across the affected hospitals and forced them to run at about 10% to 15% of normal capacity, the person said.
Years of cybersecurity concerns
Since at least mid-2021, concerns have been aired about cybersecurity vulnerabilities affecting hospitals operated by the Guy’s and St Thomas’ NHS Foundation Trust, according to the board meeting documents.
For instance, minutes from a meeting in May 2021 warned that a “significant number” of the trust’s IT systems and hardware devices were “out of support or at the end of life, and which can increase the risk of cyberattack.” A report in April 2022 said work had been undertaken to “partially mitigate” security risks, such as outdated Windows software, through “tactical fixes.” But the report added that “some areas of the trust remained vulnerable to a cyberattack.”
The trust later embarked on a program of modernizing its IT infrastructure, updating computers and carrying out simulated hacks to test for vulnerabilities. In October 2023, the trust rolled out a new electronic patient record system and began implementing a new computerized system called Blood Track to manage blood transfusions, according to the documents.
Even so, the trust’s board of directors continued to raise concerns. In January 2024, the trust’s IT infrastructure was said to be “configured to a good standard,” but directors questioned whether sufficient security procedures were in place to monitor interfaces with third parties – such as the pathology business unit operated in collaboration with Synnovis.
Little information about the King’s College Hospital NHS Foundation Trust’s cybersecurity practices is publicly available. Last year, the UK’s information watchdog, the Information Commissioner’s Office, audited the trust and flagged that it had issues with data protection compliance. The trust had “considerable scope for improvement” to ensure it was protecting personal data, the commissioner’s office found. A September 2023 board of directors’ report from the King’s College Trust said it had recorded “an increase in data breaches,” though it’s unclear whether these were related to cybersecurity incidents.
A spokesman for King’s said that the ransomware attack had affected Synnovis and that there was no evidence that it had infiltrated King’s systems. The prior data breaches highlighted in its board of directors’ report were unrelated to the latest incident, the spokesman added.
“Data security is a priority for the trust, and something we take very seriously,” the spokesman said. “Data breaches are rare, but when they do occur, we ensure they are fully investigated, and action taken to strengthen the processes we have in place.”
Russian group suspected of attack
The cyberattack on Synnovis is suspected to have been carried out by a Russian-speaking ransomware gang known as Qilin, which has claimed more than 100 attacks on companies and organizations across a range of sectors since late 2022, according to the cybersecurity firm Secureworks. A representative of the Qilin gang didn’t respond to requests for comment.
Ransomware gangs typically gain access to victim computers by exploiting a software vulnerability, luring a victim into clicking a malicious link in an email or using stolen credentials to log in. They then gain access to internal networks and use malicious software to encrypt files on computers, rendering them inoperable. The gang demands payment to unlock the computers and may also threaten to publish stolen data online.
“Ransomware groups that are willing to target the health-care sector understand the value of the data and also the importance of access to that data,” said Cian Heasley, threat lead at Adarma Security. “As we can see from the situation affecting London hospitals, the potential leaking of stolen data is only part of the problem; the data itself is vital to patient treatment.”
The breach is the third known ransomware case in the last year to have affected a branch of Synlab AG. In June 2023, the hacking gang Cl0p targeted the company’s French subsidiary. In April 2024, the operations of Synlab’s branch in Italy were disrupted by another ransomware gang, known as Black Basta.
In a statement last week, Synnovis said all its IT systems had been affected by the hack and that it was working with experts to resolve the issue.
“We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be,” said Mark Dollar, chief executive officer of Synnovis. “This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect.”
Top photo: St Thomas’ Hospital in London.