Health cyber-attacks lead to dozens of NHS data breaches, new data reveals

Photo by Markus Spiske on Unsplash

Cyber-attacks on the health sector have led to more than 400 personal data breaches since 2018, according to the Information Commissioner’s Office (ICO), the UK’s privacy watchdog.

Freedom of information requests sent to the ICO and all NHS hospital trusts reveal hacking incidents at hospitals and clinics, with one describing itself as under ‘continuous attack’ and Walton Centre NHS trust reporting an unsuccessful ransomware attempt.

Attacks are either specifically targeted at the sensitive health sector or opportunistic, said Dr Saif Abed, Director of Cybersecurity Advisory Services at the AbedGraham Group, a consultancy. In opportunistic attacks, such as 2017’s WannaCry ransomware which encrypted the systems of many organisations, including 81 NHS trusts, criminal gangs spray malware widely, knowing that “they only need to be successful once to be really disruptive,” said Abed.

Ireland’s health service (HSE) said last week that services continue to be ‘severely impacted’ by a targeted ransomware attack that began on 14 May and shut down their entire network. Infected HSE servers only began to be brought back online after the ransomware gang voluntarily handed a decryption key to Irish authorities, who refused to pay the ransom demand

Dr Simon Woodworth, Director of Cyber Risk for Business at Cork University, said even with the decryption key so many aging and underfunded HSE systems collapsed that paying the ransom demand, rumoured to have been US$20 million, would not have reduced the estimated €100-500 million cost of the attack.

US company Colonial Pipeline recently paid a $4.4 million ransom, while the world’s largest meat processing company JBS, paid $11 million in June. “The incentives for a victim to pay are absolutely immense,” said Emily Taylor, Chief Executive of Oxford Information Labs and editor of the Journal of Cyber Policy. “If you’re in organised crime, why wouldn’t you be in cyber? You get economies of scale, transaction costs are almost zero and you don’t have the same risks as with offline crime. You don’t have to worry about violence or going to prison, because the chances are you will never be brought to justice.”

Sometimes cyber-attacks result in unauthorised access to or theft of patient data. Freedom of information data reveals that following cyber-attacks private healthcare providers notified 111 breaches to the ICO, secondary care providers such as NHS hospitals suffered 50 attacks, while GPs reported 14 incidents.

In Ireland the HSE attack resulted in sensitive data on about 520 patients being published on the dark web. According to Woodworth, a good quality stolen health care record can fetch $1500 in the US. They are sold on by attackers and the end-user then fraudulently obtains private health care or sometimes blackmails patients, said Woodworth.

Abed worries the next wave of attacks won’t be about shutting down whole systems or stealing data. “Instead of just making systems unavailable, what if you mixed all the clinical data together? So imagine, taking lab data and shuffling it between patients or resetting early warning systems to normal. That’s really insidious because unless someone notices something’s off and raises the clinical alarm bell that’s really scary.”

These incidents, which Abed terms ‘clinical integrity extortion attacks,’ could move from theory to reality in coming years. He points to a study from Ben Gurion university in Israel where researchers created malware that put fake cancer nodules on CT scans, fooling specialists into thinking they were looking at genuine clinical results.

Many NHS bodies were unwilling to reveal information, saying that national security and crime prevention considerations prevented them from answering freedom of information requests about the numbers of cyber-incidents. However, other NHS bodies answered freely. For example, Bradford District Care NHS trust said it had experienced ten cyber incidents over the past three years, including one malware, three hacking, and two phishing attempts, while Birmingham Community Healthcare NHS trust reported 50 incidents to the Department of Health and 24 to the ICO.    

Taylor said that it was revealing that no consistent approach had been agreed between hospital trusts on what they say about cyber-attacks. “Victims of cyber-attacks feel ashamed. But this isn’t their fault. They are victims of crime. There needs to be more transparency as that drives the right kind of change.”

She believes there needs to be a move to protection coupled with resilience, as some attacks will always get through defences. “You are never going to be 100% protected, instead you have to make sure you can recover.” Amid many cancelled appointments Irish hospitals reportedly resorted to pen and paper, just as NHS staff did during the 2017 WannaCry attack. 

While the UK government blames North Korea for the WannaCry attack many others originate from Russia, where organised gangs are tolerated by the authorities in return for never attacking Russian targets and occasionally being used as guns-for-hire in offensive cyber warfare. Woodworth said that the Irish government approached the Russian embassy during the recent attack. Although the Russian government offered their help, according to Woodworth, authorities viewed this as a double-edged sword as Russians and other state actors were interested in getting a toehold in the Irish data economy, where about 30 % of all Europe’s data is stored, as many internet giants such as Google and Amazon operate large data centres in the Republic.

Gas fires and explosions 90 times more common than official statistics record, new data reveals

There have been at least 14,000 gas fires and explosions in the UK over the last five years, according to new figures obtained by PA Diploma News.

While official statistics show 155 gas fires and explosions were reported to the Health and Safety Executive over the last five years, this drastically undercounts the number of gas-related incidents. Freedom of information requests submitted to every fire authority in the UK revealed fire crews have attended 13,199 fires and 1,058 explosions since 2016. 

These include fires from leaks from the mains gas supply, barbecues and explosions caused by indoor and workshop gas appliances using butane and propane. For example, investigators believe that several houses in Ashford, Kent were destroyed by an explosion stemming from a leak from a portable heater. 

Higher car bonnets on SUVs risk ‘front-over’ accidents, say campaigners

SUV compared to small Fiat 500, London 2018.  © Richard Baker

British drivers and parents should beware of ‘front-over’ accidents to toddlers caused by the blind zones in front of the high bonnets of 4×4 vehicles, American campaigners have warned.

“The bigger the vehicle, the bigger the blind zone,” said Amber Rollins, of US car-safety campaign Kids and Cars. “You can’t avoid hitting what you can’t see.”

“We brought out my son’s pre-school class. We wanted to see how many kids we could line up sitting in front of one these vehicles,” said Rollins. “We got up to 17.”

Very young child playing in front of massive SUV
Very young child playing in front of large SUV. Image courtesy of Kids and Cars.

Kids and Cars term the incidents ‘front-overs’, to distinguish them from ‘back-overs’, where a slow-moving car reverses into pedestrians. “We’re seeing thousands of children being hurt or killed every year in front-overs,” said Rollins. “On a weekly basis here in the US at least 60 children are run over in a front-over accident. On average two of them die and 58 are seriously injured.”

To test the claims of Kids and Cars, PA Diploma News measured how far a traffic cone the height of a toddler (74cm) had to be moved away from the front of a car, in order for a woman of average height (5’4”) to spot the top of the cone, and compared the results with a similar study done in America.

Image comparing the blind zones in front of various car models.
Comparing front blind zones of various car models. Source: PA Diploma News and WTHR.

We found that American car designs had significantly bigger blind spots than models widely available in the UK, such the Nissan Qashqai. The angle and length of the bonnet significantly affected visibility, with the front blind zone of the Volkswagen Touareg being one-third larger than the that of a Qashqai. Some of these American models, such as the Cadillac Escalade, are occasionally available to buy in the UK.  

Rollins warns that such models could become the norm in the UK, as they have in the US. “They’re trendy. I live out in the suburbs, all the dads are driving in these giant trucks, they don’t need this big truck that you would expect to find out in rural areas where they need the truck for hauling stuff.”

One-in-four of all new cars sold in the UK is now an SUV or 4×4 vehicle. Over the last decade the Society of Motor Manufacturers and Traders reported a 260% increase in the number of sales of what it calls ‘dual purpose’ cars, such as Range Rovers, from 156,552 in 2010 to 562,360 in 2019.

BMW said, “We consider issues such as those highlighted in this report during the design process of our vehicles and all models conform to legal standards. Many BMW models offer features to further enhance pedestrian safety. Examples include front cameras and proximity sensors which are available during low speed manoeuvres.” Other car manufacturers did not respond to a request for comment.

Kids and Cars began its mission to improve car safety when its founder Janette Fennell and her husband were robbed at gunpoint outside their home in 1995. The attackers locked them in the boot of their own car, leaving their 9-month-old child in the back seat, and drove off in a different vehicle, leaving them trapped for hours. After their eventual release, Fennell began campaigning for mandatory luminous emergency release levers inside car boots.

Fennell collected her own data, finding that 1,082 Americans had been trapped in a car boot over the preceding 20 years, either children locking themselves in accidentally, or kidnap victims. In one in four cases the victims died of suffocation, heatstroke or hypothermia.

Kids and Cars eventually won that campaign in 2001. This success led to other car-safety campaigns on the dangers of suffocation from power-assisted windows, carbon monoxide poisoning and hot car deaths.

As deaths and injuries caused by cars in driveways and car parks are not recorded in official statistics, the group began collecting data from media reports. They found that in America non-traffic accidents involving cars, including front-overs, “is likely in the top 5 killers of very young children in our country,” according to Rollins. Similar data is not collected in the UK.

The British anti-homosexual laws still devastating the lives of millions

Divina Lorinda, a queer living in Kampala, Uganda. Photo by Stuart Tibaweswa.

Download article, sized for mobile, to send by Whatsapp or Signal.

Laws criminalising homosexuality in the British Empire still devastate millions of lives today, according to activists. Of the 71 countries which outlaw same-sex relations, half are members of the Commonwealth. Victims of such laws say they hinder the fight against HIV/AIDS and lead to wrongful arrests, extortion and violence.

Map showing the 71 countries which still criminalise homosexuality. Those influenced by British colonial-era laws are shown in red.

Just after dark on 21 October 2019 in Kampala, Uganda, a homophobic mob gathered outside the gate of an LGBT homelessness shelter, set up to help young people shunned by their families. “They had sticks, they had stones, they were throwing all sorts of things,” said Eric Ndawula, 23, one of those inside. “They were shouting, ‘we need to kill them’.”

After Eric called the police, rather than arrest any of the mob, officers charged 16 victims with “carnal knowledge against the order of nature”, a law Uganda inherited from the Indian Penal Code written by British colonial administrators in 1860. During their four-day imprisonment the 16 were searched for evidence of penetration through a “degrading” forced anal examination, before police finally dropped the charges, said Eric.

Timeline showing the introduction of laws outlawing homosexuality in Britain and its Empire, and the steady stream of countries decriminalising same sex intimacy in recent decades

The Indian Penal Code was one of a series of Victorian laws which clamped down on homosexuality. Another in 1885 criminalised sex acts between men short of penetration as ‘gross indecency’. This amendment was debated for only four minutes, one of which was spent increasing the punishment from one to two year’s hard labour. Both Oscar Wilde and second world war codebreaker Alan Turing fell foul of this law.

Victorian England never outlawed lesbianism. However, of the 43 countries which criminalise sex between women some, like Uganda, are influenced by British gross indecency laws. According to Téa Braun of the Human Dignity Trust, a charity campaigning for LGBT rights, “In some countries, ironically, it came about as an attempt to make the laws non-discriminatory. So a country that had a law which specifically criminalised men, rather than being seen as discriminatory in criminalising anybody,” she said, the governments decided “we have to capture both male and female same-sex conduct.”

Failed amendment in UK Parliament to criminalise gross indecency between women,1921
In 1921 Conservative MP F.A. Macquisten introduced a new amendment to Section 11 of the Criminal Law Amendment Act to criminalise female same-sex sexual acts. It failed after the House of Lords worried that it would lead to blackmail and that the “more you advertise vice by prohibiting it the more you will increase it.” Image courtesy of the University of Glasgow Library.

On 17 February 2021 the Himalayan state of Bhutan decriminalised homosexuality. Activist Tashi Tshten from Rainbow Bhutan said, although Bhutan was never colonised by the British, “Most of the laws were basically copy-pasted from the Indian Penal Code. So when you look at those laws and see language like sodomy and unnatural sex, these are very common words that you can find even in Sri Lanka, Bangladesh, and some parts of Pakistan. These laws came from the colonial era.”

The gross indecency law became known in Victorian England as the ‘Blackmailer’s Charter’. Tashi became a victim of that colonial legacy. “I was blackmailed because he found out that I was gay. He told me that he would tell the police that I engage in this type of activity and he would call the police unless I pay him the money.”

(L-R) Dechen Selden, Lyonpo Namgay Tshering (Finance Minister), Sonam Choden, Ugyen Y Lhamo & Kencho Tshering. Image courtesy of Rainbow Bhutan.

Extortion by corrupt police officers was one of the sparks for the two-decade legal campaign to repeal section 377 of the Indian Penal Code by Anjali Gopalan of the Naz Foundation, an Indian HIV/AIDs organisation. “The police would say ‘we’re arresting you and we’re going to call your family, we’re going to tell them you were with another man.’ We have one of the most corrupt police systems in the world, so they would just make money off these men.” said Anjali. The Naz Foundation eventually won their legal battle in 2018.

Audio: Anjali Gopalan tells the story of the campaign against Section 377 of the Indian Penal Code, which criminalised ‘unnatural offences’ as ‘carnal intercourse against the order of nature.’

Elsewhere the British colonial legacy continues. Last year two Zambian men, Japhet Chataba and Steven Sambo, received a Presidential pardon after serving three of their 15 year prison sentence for “carnal knowledge of any person against the order of nature”.

Such laws make it more difficult for people to report hate crimes. “LGBT people are labelled by the state as criminals,” said Téa Braun, “People die because of these laws: at the hands of the state, at the hands of the community, at the hands of, sometimes, people’s own family.” Sometimes LGBT people are raped, including by members of their own families, in order to ‘cure’ them. Amber Fatmi from the Lawyer’s Initiative Forum in India said, “Such cases come in where you report against the family for corrective rape, then the police also book you for unnatural sex. So largely because of that the LGBTQ community do not come up and say that rape has happened.”

These laws also hobble the campaign against HIV/AIDS, according to Téa. “The HIV prevalence rates in many criminalising countries is notably higher than in non-criminalising countries. Why would someone go and report their sexual conduct to a health practitioner if that person might report them for committing a crime?”

The only silver lining to this dark cloud is that the response to the HIV/AIDS epidemic created movements to end criminalisation. In India the campaign against section 377 grew out of groups educating people about safe sex. “On the one hand the government was funding programmes for men who have sex with men”, said Anjali, “and on the other the police were” locking up Naz outreach workers. In Bhutan, according to Tashi, their biggest allies were in the health ministry, while the influential Minister of Finance worked in the HIV/AIDS prevention. For a variety of reasons, over the last decade a succession of Commonwealth countries, such as Fiji, the Seychelles, Belize, Trinidad and Botswana have decriminalised homosexuality.

So what would Eric Ndawula say if he came face-to-face with one of these Victorian lawmakers?  “People refuse to accept that people could be different than them. You never know that LGBT people exist until you know that your son is gay, or your wife, or you yourself.” This is a point echoed by Téa Braun: “Whether intentionally or unintentionally they’ve created vast global devastation in the lives of hundreds of millions of people – men and women. Perhaps the lack of knowledge back then of people and of the diversity of the human species led to that. But that lack of knowledge and that prejudice lives on today in the lives of hundred of millions of people.”

Only one in five elected Republicans recognises Joe Biden as President-elect

Despite losing the US Presidential election, 59 defeated lawsuits challenging the result, and certification of the result by all states and the electoral college, only one in five elected Republicans has acknowledged Joe Biden as President-elect.

While high profile ex-politicians such as former President George W Bush have welcomed Biden’s victory, currently elected officials have been less willing to acknowledge Donald Trump’s defeat. According to an analysis of their public announcements only 67 of almost 300 Republican governors, senators and congressmen have recognised the Democratic victory.

After an initial flurry when the main media organisations called the election, and a few more when the electoral college – a key stage in the US Presidential election process – delivered its verdict on December 14, the rate of public statements by Republicans has slowed to a trickle.

Some of the concessions came after the failure of Trump-inspired lawsuits to prevent the official certification of the result by key swing states won by the Democrats, such as Georgia and Michigan. Subsequently, amid intense political pressure, the General Services Administration (GSA), the agency which manages the Federal bureaucracy, formally began the transition process.

The electoral college is the official system by which the total number of votes in each state is translated into state-by-state votes for the president – in rough proportion to the population of each state. After the electoral college vote more Republicans, such as Senate Majority Leader Mitch McConnell, publicly recognised that Biden will be the next President after his inauguration later in January.

Others are maintaining an awkward silence. According to Congressman Denver Riggleman, who recognises the result, he has spoken to 30 to 40 fellow Republicans who privately acknowledge Biden’s victory.

Some Republican politicians have embraced Trump’s strategy of lawsuits, recounts and political pressure to contest the result. “Georgia’s recount was a charade!” said Congressman Jody Hice from Georgia.

President Trump’s allies in Congress, such as Representative Mo Brooks of Alabama, are reportedly planning to challenge the result when both Houses of Congress count the electoral college votes on January 6. Democrats have done so in the past, although mostly as a symbolic act. If Republicans in the lower House can get one member of the Senate to join their challenge, then they can force Congress to debate and vote on the issue.

At least one incoming Senator, Tommy Tuberville of Alabama, has suggested he might support such a challenge. If he does and the challenge is put to a vote then Republicans in both Congress and the Senate will be forced to end their silence and vote either in favour of recognising Joe Biden’s victory, or effectively endorsing President Trump’s claim that the election was stolen. Senior Senate Republicans oppose any challenge. John Thune, the number two Republican in the Senate, said that the idea was “going down like a shot dog.”

Those who do recognise Trump’s loss face retaliation. Soon after Ohio Republican Governor Mike DeWine recognised Biden’s win Trump tweeted, “Who will be running for Governor of the Great State of Ohio? Will be hotly contested!” Shortly after Arizona certified the election result, the President also claimed the Republican Governor had betrayed the people of that state. 

President Trump has raised over $200million in post-election fundraising on the back of his claims of a rigged election. Much of this sum will be available for his new Save America political action committee, which in theory could be used to fund internal party challenges in Republican primary elections against incumbents who he believes have been disloyal. Trump is reported to have directed his advisers to begin monitoring the public statements of Republicans senators and governors, some of whom are up for election in 2022.

After Congress counts the electoral college votes on January 6, the next major stage in the Presidential election process will be the inauguration on January 20.