NHS patients affected by cyber-attack may face six-month wait for blood test

Patients denied a blood test because of a Russian cyber-attack on the NHS may have to wait up to six months to have their sample taken, the Guardian has learned.

The delays are so long that some patients have decided to pay to have their blood taken and analysed by a private clinic rather than remain on the NHS waiting list.

Hospitals in south-east London affected by the hacking gang’s seizure of 300m pieces of NHS data have been writing to patients to warn them that they now cannot provide their blood test.

One patient was told by letter: “Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again.

Related: UK government weighs action against Russian hackers over NHS records theft

“If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”

The patient, who asked to remain anonymous, said: “I have little option other than to go privately to have the tests and necessary treatment. The cost will be significant. While I can afford this, most people could not.”

Nine acute or specialist NHS hospitals as well as providers of mental health, community health and GP services across a swath of south-east London serving 2 million people have had to severely ration blood tests since the Russian-based Qilin gang’s ransomware attack began on 3 June.

Limited capacity means only blood tests deemed “urgent” by a committee of medics and managers are going ahead in the short term.

What the NHS has called “significant disruption” caused by the attack also forced King’s College hospital (KCH) and Guy’s and St Thomas’ (GSTT) health service trusts to cancel 1,134 planned operations and 2,194 outpatient appointments in the first 13 days. These included 184 cancer procedures and 64 organ transplants.

Qilin unleashed its attack on Synnovis, a provider of pathology services – such as blood tests and transfusions – that is jointly owned by KCH and GSTT and the private company Synlab. As a result, affected hospitals and GP surgeries can only do about 30% of their normal number of blood tests.

Related: What does the London NHS hospitals data theft mean for patients?

The Guardian reported on Friday that the UK government was considering using the National Crime Agency (NCA) to hit back against Qilin after some of the stolen data was posted online. Qilin had reportedly been demanding a $50m (£40m) ransom.

In February the NCA deployed a specialist team to take action against LockBit, another gang of Russian hackers. Outfits such as Qilin and LockBit typically infiltrate an organisation’s IT system and prevent them from using it unless they pay a ransom to regain access.

NHS England’s London region, which is coordinating the service’s response to the hack, declined to comment on patients facing six-month waits to have their blood test rearranged.

However, in a question and answer statement on Friday, it acknowledged that the hack would continue to cause major problems for Synnovis and the NHS for months to come. Synnovis had “plans in place to begin restoring some functionality in its IT system in the weeks to come”, it said. The cyber-attack has in effect locked it out of its own IT system.

“Full technical restoration will take some time, and the need to rebook tests and appointments will mean some disruption from the cyber incident will be felt over coming months,” it said.

The NHS has opened a helpline to answer queries from patients.