Cyber Incident Victim: National Health Laboratory Service
Date:
Jun 2024
Location:
South Africa
Summary
The National Health Laboratory Service experienced a ransomware attack targeting its IT infrastructure, rendering systems inaccessible internally and externally while blocking communication between laboratory information systems and users. Although the breach compromised sections of the primary and backup servers—requiring rebuilding—no patient data was lost or accessed. The organization activated its incident response team with internal and external cybersecurity experts, implemented additional security layers to block ongoing attacks, and shut down systems for repairs. Despite disruptions to automated report generation, all laboratories remain operational, processing clinical samples and communicating urgent results telephonically to clinicians. Service restoration timelines remain undetermined as investigations continue.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 22, 2024, the National Health Laboratory Service (NHLS) publicly confirmed a cybersecurity incident involving a ransomware attack that compromised its IT systems and infrastructure the prior Saturday. The attack targeted specific points within the NHLS network, deploying ransomware that rendered critical systems inaccessible and severed communication between the laboratory information system, databases, and users. Internal and external access to NHLS systems remained blocked, disrupting connectivity with healthcare facilities. The organization’s preliminary investigation determined no patient data was lost or compromised, explicitly stating all patient data remained secure. However, investigators discovered sections of the system—including portions of the backup server—had been deleted, necessitating reconstruction of affected components. NHLS activated its incident response team immediately after detection, engaging both internal experts and external cybersecurity professionals to contain the breach. Additional security layers were implemented to block subsequent cyber attacks, though the organization had to shut down systems entirely to facilitate repairs. NHLS acknowledged the disruption’s severity but could not provide a restoration timeline due to the ongoing investigation’s preliminary stage.
The attack severely impacted NHLS operations by disabling automated laboratory report generation and distribution, which under normal conditions sends results directly to clinicians or makes them available via web view. Despite this, all NHLS laboratories remained fully operational, continuing to receive and process clinical samples manually. Urgent test results were communicated telephonically to requesting clinicians to maintain critical healthcare functions. NHLS emphasized its commitment to business continuity and quality service delivery but apologized for the inconvenience caused by the prolonged system outage. CEO Professor Koleka Mlisana and Board Chair Professor Eric Buch led the executive team in round-the-clock efforts to restore systems and ensure service continuity. The NHLS, as South Africa’s primary government diagnostic pathology service, prioritized resolving the incident to minimize disruptions to health department support. Stakeholders and the public were advised updates would follow as more information became available during the recovery process.