Patients treated at Luton and Dunstable University Hospital could face “a limited risk of unsolicited contact or phishing attempts” after a major NHS cyber attack by hackers exposed their information which was held by a pathology services provider.
Bedfordshire Hospitals NHS Foundation Trust has issued a notification following the conclusion of a lengthy forensic investigation into a ransomware attack on pathology company Synnovis, which took place in June 2024.
The investigation took more than a year because the stolen information was fragmented and unstructured, requiring forensic specialists to reconstruct exactly what had been taken before affected organisations could be informed.
The attack, one of the most significant to hit the NHS in recent years, disrupted pathology services and led to sensitive data being stolen from Synnovis systems. Synnovis has now begun notifying NHS organisations whose information may have been compromised.
Bedfordshire Hospitals NHS Foundation Trust said in a statement: “Based on the information we have, it’s possible that the data relates to individuals who had laboratory or diagnostic results at Bedford Hospital or Luton and Dunstable Hospital during the period 2011 – 2020.”
The trust is now reviewing information provided by Synnovis to establish whether any local patients or staff were affected and what information may have been involved.
Bedfordshire Hospitals Trust has recommended that patients take precautions to: “Remain alert to any unexpected communications asking for personal information. Avoid clicking on links or opening attachments from unknown sources. Be cautious of unsolicited calls, emails or texts that reference your information.”
The trust added: “We will never contact you to ask for your password or sensitive personal information such as bank details or security codes.”
Explaining the issue further, the trust said: “Because the data is fragmented, historic, and not held in a structured or readily usable format, we believe the risk of it being clearly understood or misused is low. The supplier continues to monitor online forums where the material was published and has obtained a court injunction prohibiting third parties from accessing, sharing, publishing or misusing the stolen data.
“While the data remains present in those places, publication alone does not mean that it has been used in a harmful way. At this time, we are not aware of any evidence that the information has been accessed or used inappropriately. However, as a precaution, there remains a limited risk of unsolicited contact or phishing attempts.”
The cyber attack occurred on 3 June 2024 when Synnovis, a pathology provider that carries out blood, urine and specimen testing for NHS organisations, was targeted by ransomware hackers. The incident severely disrupted services in south-east London and resulted in patient data being stolen and later published online.
According to NHS England, while the operational impact was concentrated in London, stolen data could potentially relate to patients, hospitals, GP practices and clinics elsewhere in England that used Synnovis services.
On whether patients’ data will be misused, the trust said: “Publication does not necessarily mean that it has been accessed or misused. The data is hard to interpret in its current form. To date, we have no evidence of inappropriate use.”
The trust stressed that current hospital services and systems have not been affected by the incident and that the review relates to historic data linked to the 2024 attack. Similar reviews are being carried out by NHS organisations across England after receiving information from Synnovis.
“We recognise that news of a cyber-incident involving a supplier may be concerning.” the trust said, adding: “While this incident did not occur within our own systems, we take the protection of personal data seriously and are committed to ongoing oversight of our suppliers and the security arrangements in place.”
As investigations continue, the trust has pledged that all potentially affected patients will be informed.
Further information is available at: https://www.england.nhs.uk/synnovis-cyber-incident/
Be the first to comment