Initially perceived as a supply-chain disruption within the UK healthcare ecosystem, the ransomware attack has now revealed an even more severe and long-lasting impact on patient privacy. A cybercriminal attack on pathology services provider Synnovis two years ago has caused Bedfordshire Hospitals NHS Foundation Trust to confirm that sensitive data related to over 33,000 individuals has been stolen and published.
The exposed records come from administrative pathology files associated with laboratory and diagnostic testing conducted between 2011 and 2020, and may contain personal information and clinical test results.
Despite the fact that ransomware incidents have long been associated with operational disruption, they present long-term data protection challenges for healthcare organizations. Moreover, attacks on critical third-party suppliers supporting essential NHS services pose cascading risks.
Following the June 2024 ransomware incident, Synnovis and relevant healthcare organizations conducted an extensive forensic review to determine the extent of the exposure.
Bedfordshire Hospitals Foundation Trust informed the affected individuals after receiving confirmation that data associated with approximately 32,927 patients had been identified in material exfiltrated by the attackers and distributed on dark web sites.
According to the trust, delayed disclosure was primarily driven by the complexity of the investigation rather than a newly discovered breach. This compromised dataset consisted of fragmented administrative records dispersed across several sources, as opposed to conventional datasets stored in structured repositories. For the contents and organizational ownership of these files to be determined, more than a year of specialist analysis was required.
According to the review, historical pathology-related information spanning nearly a decade predating November 2020 may have been exposed, including patient names, dates of birth, NHS and patient identification numbers, postcodes, and diagnostic test results. Researchers find it difficult to assess cyber incidents involving unstructured healthcare data due to the difficulty of accurately mapping stolen information before the full impact can be understood on affected individuals.
After notifications had been sent to the affected individuals, the focus shifted from forensic reconstruction to risk mitigation.
Bedfordshire Hospitals Foundation Trust urged patients to remain vigilant for suspicious communications, advising them not to respond to unexpected requests for personal information, to avoid opening attachments or links from sources that are unfamiliar, and to be cautious when receiving unsolicited phone calls, emails, or text messages that reference healthcare information.
It is acknowledged that disclosures of such information may cause concern, however the trust emphasised that the compromise was a result of an external pathology supplier’s systems rather than its own network infrastructure, reiterating that it is committed to supplier oversight and data protection governance. However, cybersecurity professionals have expressed criticism regarding the delay of the disclosure.
It has been argued by Saif Abed, founding partner of the AbedGraham Group, that a two-year gap between the incident and patient notification raises serious questions regarding the accountability of all organizations involved in the attack. Furthermore, he challenged sugges
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
Related
