Health cyber-attacks lead to dozens of NHS data breaches, new data reveals

Photo by Markus Spiske on Unsplash

Cyber-attacks on the health sector have led to more than 400 personal data breaches since 2018, according to the Information Commissioner’s Office (ICO), the UK’s privacy watchdog.

Freedom of information requests sent to the ICO and all NHS hospital trusts reveal hacking incidents at hospitals and clinics, with one describing itself as under ‘continuous attack’ and Walton Centre NHS trust reporting an unsuccessful ransomware attempt.

Attacks are either specifically targeted at the sensitive health sector or opportunistic, said Dr Saif Abed, Director of Cybersecurity Advisory Services at the AbedGraham Group, a consultancy. In opportunistic attacks, such as 2017’s WannaCry ransomware which encrypted the systems of many organisations, including 81 NHS trusts, criminal gangs spray malware widely, knowing that “they only need to be successful once to be really disruptive,” said Abed.

Ireland’s health service (HSE) said last week that services continue to be ‘severely impacted’ by a targeted ransomware attack that began on 14 May and shut down their entire network. Infected HSE servers only began to be brought back online after the ransomware gang voluntarily handed a decryption key to Irish authorities, who refused to pay the ransom demand

Dr Simon Woodworth, Director of Cyber Risk for Business at Cork University, said even with the decryption key so many aging and underfunded HSE systems collapsed that paying the ransom demand, rumoured to have been US$20 million, would not have reduced the estimated €100-500 million cost of the attack.

US company Colonial Pipeline recently paid a $4.4 million ransom, while the world’s largest meat processing company JBS, paid $11 million in June. “The incentives for a victim to pay are absolutely immense,” said Emily Taylor, Chief Executive of Oxford Information Labs and editor of the Journal of Cyber Policy. “If you’re in organised crime, why wouldn’t you be in cyber? You get economies of scale, transaction costs are almost zero and you don’t have the same risks as with offline crime. You don’t have to worry about violence or going to prison, because the chances are you will never be brought to justice.”

Sometimes cyber-attacks result in unauthorised access to or theft of patient data. Freedom of information data reveals that following cyber-attacks private healthcare providers notified 111 breaches to the ICO, secondary care providers such as NHS hospitals suffered 50 attacks, while GPs reported 14 incidents.

In Ireland the HSE attack resulted in sensitive data on about 520 patients being published on the dark web. According to Woodworth, a good quality stolen health care record can fetch $1500 in the US. They are sold on by attackers and the end-user then fraudulently obtains private health care or sometimes blackmails patients, said Woodworth.

Abed worries the next wave of attacks won’t be about shutting down whole systems or stealing data. “Instead of just making systems unavailable, what if you mixed all the clinical data together? So imagine, taking lab data and shuffling it between patients or resetting early warning systems to normal. That’s really insidious because unless someone notices something’s off and raises the clinical alarm bell that’s really scary.”

These incidents, which Abed terms ‘clinical integrity extortion attacks,’ could move from theory to reality in coming years. He points to a study from Ben Gurion university in Israel where researchers created malware that put fake cancer nodules on CT scans, fooling specialists into thinking they were looking at genuine clinical results.

Many NHS bodies were unwilling to reveal information, saying that national security and crime prevention considerations prevented them from answering freedom of information requests about the numbers of cyber-incidents. However, other NHS bodies answered freely. For example, Bradford District Care NHS trust said it had experienced ten cyber incidents over the past three years, including one malware, three hacking, and two phishing attempts, while Birmingham Community Healthcare NHS trust reported 50 incidents to the Department of Health and 24 to the ICO.    

Taylor said that it was revealing that no consistent approach had been agreed between hospital trusts on what they say about cyber-attacks. “Victims of cyber-attacks feel ashamed. But this isn’t their fault. They are victims of crime. There needs to be more transparency as that drives the right kind of change.”

She believes there needs to be a move to protection coupled with resilience, as some attacks will always get through defences. “You are never going to be 100% protected, instead you have to make sure you can recover.” Amid many cancelled appointments Irish hospitals reportedly resorted to pen and paper, just as NHS staff did during the 2017 WannaCry attack. 

While the UK government blames North Korea for the WannaCry attack many others originate from Russia, where organised gangs are tolerated by the authorities in return for never attacking Russian targets and occasionally being used as guns-for-hire in offensive cyber warfare. Woodworth said that the Irish government approached the Russian embassy during the recent attack. Although the Russian government offered their help, according to Woodworth, authorities viewed this as a double-edged sword as Russians and other state actors were interested in getting a toehold in the Irish data economy, where about 30 % of all Europe’s data is stored, as many internet giants such as Google and Amazon operate large data centres in the Republic.

Gas fires and explosions 90 times more common than official statistics record, new data reveals

There have been at least 14,000 gas fires and explosions in the UK over the last five years, according to new figures obtained by PA Diploma News.

While official statistics show 155 gas fires and explosions were reported to the Health and Safety Executive over the last five years, this drastically undercounts the number of gas-related incidents. Freedom of information requests submitted to every fire authority in the UK revealed fire crews have attended 13,199 fires and 1,058 explosions since 2016. 

These include fires from leaks from the mains gas supply, barbecues and explosions caused by indoor and workshop gas appliances using butane and propane. For example, investigators believe that several houses in Ashford, Kent were destroyed by an explosion stemming from a leak from a portable heater. 

National Socialism’s American vacation

The gate in Birkenau. Photographer Stanisław Mucha, courtesy Auschwitz-Birkenau Memorial and Museum.

On 20 January 1942 fifteen top Nazi officials met at a villa, on the shore of Berlin’s lake Wannsee, to plan the Holocaust. Thirty years later one of them, Georg Leibbrandt, went on holiday to America.

Newly published documents, including declassified CIA files, and the first interview with Jeffrey Mausner, the now-retired US Department of Justice (DOJ) lawyer responsible for investigating Leibbrandt in 1979, reveal new details about his role in the Holocaust and how he became the highest ranking Nazi ever to visit the USA.

Leibbrandt attended the Wannsee Conference alongside more notorious war criminals such as Adolf Eichmann. According to the minutes of the meeting, it was called to discuss the “organisational, factual and material interests in relation to the final solution of the Jewish question in Europe.”

Front page of an old historical document shwoing leibbrandt's name on the invitation list for the Wannsee conference
Attendance list for the Wannsee Conference, showing Leibbrandt’s name.

Leibbrandt was there as the second most senior official in the Ostministerium, the Ministry for occupied territories in the East. Born in what is now Ukraine, he was seen as an expert on the various nationalities found in the east. Before the war he had documented hundreds of German-speaking colonies in Russia, and in the post-war period he kept in touch with American genealogists keen to trace their roots back to those settlements. In addition to meeting with a notorious American holocaust denier, his trip to the US was partly an attempt to reclaim his academic collection, which had been seized by American forces.

By late 1941, when Leibbrandt received his invitation to the Wannsee conference, mass shootings were already commonplace in occupied Soviet territories. The Nazis had also used gas sporadically, particularly against the inmates of psychiatric hospitals. However, the SS organisers of the Wannsee conference wanted to move from mass murder to genocide – the deliberate killing of all Europe’s Jews.

The Wannsee minutes list the 11 million remaining Jews in each European country, including 330,000 in England, and describe how, “In the course of the practical execution of the final solution, Europe will be combed through from west to east.”

“It was shocking that Leibbrandt had been in the United States,” said Jeffrey Mausner. “Not only that he was at a senior level, but that he was directly involved in the final solution.” During a phone interview Mausner, now in his 70s and living in Los Angeles, still sounds as outraged as he did when he first learned about Leibbrandt. Back in 1979 Mausner was a new recruit at the DOJ’s Office of Special Investigations, a small Nazi-hunting team formed that year after public outcry about Nazi concentration camp guards setting up home in American suburbs.

The 1974 film Marathon Man, a paranoid thriller starring Dustin Hoffman, captured the mood. The film is best known for its scene in which a Nazi dentist played by Laurence Olivier keeps drilling into Hoffman’s teeth, asking “Is it safe? Is it safe?” Yet an equally horrifying moment comes when a concentration camp victim, a tattoo clearly visible on his arm, spots his torturer on the streets of New York’s diamond district.

Leibbrandt photo.
Georg Leibbrandt, head of the Political Department of the Reich Ministry for the Occupied Eastern Territories.

Leibbrandt wasn’t a camp guard or torturer. Hannah Arendt, who reported on Eichmann’s 1961 trial in Jerusalem, coined the term Schreibtischtäter, desk-murderer. They may not have pulled a trigger or manned a watchtower, but the desk-murderers wrote the policies which defined who was a Jew when considering the offspring of mixed marriages, they organized the trains to take Europe’s Jews to Auschwitz, and they settled bureaucratic turf disputes in favour of genocide. Leibbrandt was one of these men.

When Mausner now reads his 1979 report justifying the revocation of Leibbrandt’s visa he is shocked by the evidence he cited:

Extract from DOJ memo, setting out the reasons for cancelling Leibbrandt’s visa.

“Looking at it now, it’s even more shocking that the Germans never prosecuted him. The smoking gun. And even though there’s this use of the euphemism ‘solution of the Jewish question’ that’s all part of this. He knew very well what “solution of the Jewish question” was. This statement is in October 1942 – Wannsee was January 1942. This is basically him saying I intend to bring about the murder of hundreds of thousands or millions of people. Wow.”

Before the war Leibbrandt, an ethnic German who grew up near Odessa, had been an academic, publishing seven volumes mapping German-speaking colonies across Russia. Stalin’s brutal resettlement of ethnic Germans, including members of his own family, underpinned Leibrandt’s anti-Bolshevism, which eased his ideological path into National Socialism in 1933.

After the war Leibbrandt remained engaged in historical and genealogical research, frequently liaising with groups like the American Historical Society Of Germans From Russia.

Letter from Georg Leibbrandt to his brother Gottlieb in Canada asking for assistance in organising his trip to North America. Photo courtesy of Karen Brglez.

In 1974, by now in his mid-70s, he visited the US with his son, partly in an attempt to reunite his academic papers, seized by American forces at the end of war. According to academic Samuel Zinner, in Washington Leibbrandt met with Professor Austin App, a holocaust denier whose pamphlet, ‘The Six Million Swindle,’ was banned from sale on Amazon earlier this year. After visits to Cleveland, Ohio and Niagara Falls to see his brother Gottlieb, also a former Nazi, Leibbrandt returned home.

Leibbrandt never faced justice before he died in 1982. After the Nazi defeat he was detained by British troops but, despite the urging of the World Jewish Congress, he wasn’t put on trial at Nuremberg, instead appearing as a witness. 

Mausner believes the decision by German post-war prosecutors not to try Leibbrandt was “unforgiveable.”  

“Why, at this time, were they not interested in prosecuting a high level mass murderer, a Nazi? I think they just didn’t care that much about the Holocaust. I think that there may have been people still in the government who had been involved with the Nazis. Basically they really didn’t care very much,” said Mausner.

Perhaps the closest Leibbrandt came to a reckoning came from his son, Hansgeorg. According to his biographer Martin Munke, in the 1960s Leibbrandt slapped his son after he confronted his father, calling him a desk-murderer.

Mausner is still frustrated that all he was able to do was cancel Leibbrandt’s visa, and revoke the US citizenship of camp guards. “These people committed some of the worst crimes ever committed. You would spend years prosecuting them. And then the punishment did not at all fit the crimes. But at least we did something. Which is more than most countries did.”

“The people who worked on it were really serious about it. We worked really hard on it and we used whatever we had to try to get some justice. The laws just weren’t there, they weren’t commensurate in any way with what they did.”

“So that was that.”