Thousands of couples’ intimate fertility details may have been accessed by Russian hackers after they targeted a prestigious clinic, Metro can reveal.
The London Women’s Clinic, which offers IVF, egg freezing and other fertility treatments at 17 centres across the country, was compromised by the ransomware gang Qilin.
A number of NHS patients are among those who use the clinic and may have had their private medical data stolen.
The ‘concerning’ data breach is believed to have taken place on October 19, when the Russian group posted about it on its dark web channels.
Sign up for all of the latest stories
Start your day informed with Metro’s News Updates newsletter or get Breaking News alerts the moment it happens.
One former private patient, who used the clinic with her husband for initial investigations, told Metro: ‘It’s horrible to think my personal details could be part of a criminal database, with information it was hard to share even with a doctor potentially becoming public knowledge. Fertility challenges are already hard enough.
‘News that they have been hacked is a concern, as obviously the things you share and discuss in those consultations can be incredibly intimate and upsetting, and not the kind of thing you’d want to see plastered on the dark web.
‘I haven’t had any emails from them to indicate there could have been a problem, so this is the first I’ve heard of it.
‘They used encryption to send confidential messages, so seemed to be taking care to keep personal information protected. Hopefully any data accessed was therefore limited.’
The Human Fertilisation and Embryology Authority (HFEA) and NHS England have confirmed the hack.
Rachel Cutting, director of compliance and information at the HFEA, said: ‘The clinic has informed the HFEA of the incident in line with its regulatory requirements and is giving us regular updates during the course of their full investigation.
‘We appreciate that this incident may be concerning to patients. Any patients who have questions about the incident should contact the clinic. Patients can also access further support through the clinic’s counselling service.’
Tone Jarvis-Mack, of the Fertility Foundation, called on The London Women’s Clinic, which has not commented publicly about the hack, to be ‘transparent’ about the nature of the ‘concerning’ data breach.
The fertility charity’s chief executive last night said: ‘The clinic should be transparent. Any company is vulnerable to an attack.
‘That patient data may be leaked out into the public will add more stress at a time when they are going through a stressful situation.
‘If their personal or medical information is out there, that could leave them vulnerable to scams. Clinics should be ultra secure. We have to go on faith that they are protecting our data.’
Mr Jarvis-Mack estimated that the clinic could hold sensitive personal data for ‘thousands’ of couples they have treated over the years, including many partners being funded through the NHS.
He continued: ‘The London Women’s Clinic holds treatment data, and information on medication tests, STI checks.
‘There are all kinds of tests you would not want public. With that information that would allow them to create the perfect scam. They would know exactly who you are, your partner’s name, your occupation.’
An NHS England spokesperson said: ‘We are aware of an incident affecting the private provider London Women’s Clinic and our Cyber Security Operations Centre has been working with them to offer support and assess any impact.’
The London Women’s Clinic opened in 1985 and pioneered treatments for prospective mothers.
They were the first clinic in the UK to provide sperm donor insemination for lesbian couples.
Who are Qilin?
Qilin are a Russian-speaking ransomware gang, although the location of the group is unknown.
The hackers have been active since October 2022, when they launched attacks on companies such as Robert Bernard in France and Australian IT consultancy Dialog.
They also offer ‘ransomware as a service’, which allows other hackers to use their tools in return for a cut of the proceeds.
One of their most devastating UK attacks was against the publisher of the Big Issue in March 2024. They wrecked the groups’s systems and published more than 500GB of confidential data after the publisher refused to pay ransom.
In 2023, Qilin’s typical ransom demand was anything from $50,000 to $800,000, according to Group-IB, a cybersecurity firm which infiltrated the group that year.
Qilin, based in Russia, was behind a ransomware attack on NHS hospitals in June which affected blood transfusions and test results.
Ransomware attacks involve hackers encrypting a victim’s files, locking them out of their data, and then demanding a ransom for the decryption key.
Qilin has been known to post stolen data on the dark web when their victims fail to pay a ransom.
It is not known what information has been accessed and whether the London Women’s Clinic has paid any ransom for the data.
London Women’s Clinic has not responded to requests for comment.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.