Cybercrime

Investigation of Russian Hack on London Hospitals May Take Weeks Amid Worries Over Online Data Dump

Hundreds of operations and appointments are still being canceled more than two weeks after the June 3 cyberattack on NHS provider Synnovis.

Hundreds of operations and appointments are still being canceled more than two weeks after the June 3 cyberattack on NHS provider Synnovis.

An investigation into a ransomware attack earlier this month on London hospitals by the Russian group Qilin could take weeks to complete, the country’s state-run National Health Service said Friday, as concerns grow over a reported data dump of patient records.

Hundreds of operations and appointments are still being canceled more than two weeks after the June 3 attack on NHS provider Synnovis, which provides pathology services primarily in southeast London.

The attack affected King’s College and Guy’s and St Thomas’ hospital trusts, which run several south London hospitals, as well as clinics and doctors’ practices across a swath of the city. A memo to staff called it a “critical incident” and said it had a “major impact” on services, particularly blood transfusions.

NHS England said Friday that it has been “made aware” that data connected to the attack have been published online. According to the BBC, Qilin shared almost 400GB of data, including patient names, dates of birth and descriptions of blood tests, on their darknet site and Telegram channel.

“The National Crime Agency and National Cyber Security Centre are working to verify the data included in the published files as quickly as possible,” NHS England said in a statement. “These files are not simple uploads and so investigations of this nature are highly complex and can take weeks if not longer to complete.”

According to Saturday’s edition of the Guardian newspaper, records covering 300 million patient interactions, including the results of blood tests for HIV and cancer, were stolen during the attack.

Advertisement. Scroll to continue reading.

A website and helpline has been set up for patients affected.

“We understand the distress this will cause patients who have to re-test,” NHS England said.

The National Crime Agency has confirmed that it is leading the criminal investigation but said it is unable to comment further.

Ransomware involves criminals paralyzing computer systems with malware, then demanding money to release them. Ransomware is the costliest and most disruptive form of cybercrime, affecting local governments, court systems, hospitals and schools as well as businesses. It is difficult to combat as most gangs are based in former Soviet states and out of reach of Western justice.

Britain’s state-funded health system has been hit before, including during a 2017 ransomware attack that froze computers at hospitals across the country, closing down wards, shutting emergency rooms and bringing treatment to a halt.

Qilin, also known as Agenda, advertises on dark web cybercrime forums and leases malware to affiliates who use it to conduct attacks for a percentage of ransom payments, said Louise Ferrett of Searchlight Cyber, a threat intelligence company. The group has listed more than 100 victims.

Related Content

Ransomware

The company has yet to determine the full scope, nature, and impact of the incident.

Cybercrime

The D1R cybercrime group claimed to have stolen valuable data from Synopsys and Bosch, threatening to leak it unless a ransom is paid. 

Cybercrime

Angelo Martino, a former ransomware negotiator, was sentenced to 70 months for helping the BlackCat/Alphv group.

Data Breaches

Hackers accessed the institution’s internal network and deleted two drives containing employee, student, and university data.

Artificial Intelligence

Attack demonstrates how LLM agents can combine known exploitation techniques with real-time reasoning to automate complex, multi-stage intrusions.

Cybercrime

Prosecutors say 19-year-old Peter Stokes was a member of Scattered Spider, the hacking group linked to more than 100 network intrusions and over $100...

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Data Breaches

Roughly two dozen companies have notified their customers of the Klue-Salesforce incident impact.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version