Cyber hack attack - how one click on an email link paralysed SA's National Health Laboratory Service

In damning evidence before Parliament this month, the National Health Laboratory Service (NHLS) admitted that its IT systems were out of date and could not be updated, and its staff were not fully apprised of the danger of clicking on unknown links when its system was hacked in June 2024.

The NHLS management was testifying before the Portfolio Committee on Health.

Parliament heard that security upgrades to the IT system were not possible and it was vulnerable to attack because of several IT-related issues at the service. Acting IT executive manager John Mukomana said the NHLS was still working to get its IT system up to “minimum acceptable standards”.

BlackSuit, an extortion syndicate, gained access to the NHLS’s database on 21 June 2024 after an employee clicked on a phishing link, said the service. In previous statements, it explained that the hackers used  ransomware that encrypts data until the syndicate is paid, in effect freezing the system. The ransom was not paid, it added.

The NHLS is the public sector medical laboratory and 400,000 tests are done per day. It is one of the cornerstones of South Africa’s fight against HIV and TB and a critical part of the public health system. 

Most significantly, the attack had rendered the TrakCare laboratory information system unusable, so although it was possible for medical tests to be done, the results could not be seen by the requesting doctors. The laboratory information system allows for the uploading of test results so that doctors can view the test results on their side. 

The attack also prevented access to the NHLS’s data warehouse, where decades of historical medical data is stored.

Koleka Mlisana at Daily Maverick's The Gathering on 24 November 2022. Now the CEO of the National Health Laboratory Service, she was co-chair of the Ministerial Advisory Committee on Covid-19 at the time. (Photo: Felix Dlangamandla)

Hopelessly inadequate

In Parliament, Mukomana said most of the NHLS’s IT infrastructure was out of date. “We were not able to update our systems or put security patches in place,” he said. 

Since the attack, however, extensive upgrades have been made to the NHLS’s security measures.

“We need to improve our governance structures,” Mukomana added. “Also, IT issues must be listened to.” 

He said that before the attack there was a lack of IT skills at the NHLS and even its executive was lacking technology skills.

At the time of the attack, highly regarded researcher Professor Koleka Mlisana was six weeks into her tenure as the chief executive of the NHLS.

“We got attacked through phishing on emails. Another big gap was security awareness among staff members,” she said in her evidence before the  portfolio committee.

Mlisana said that since the attack, a plan had been drawn up to fix the NHLS’s IT systems and correct the lack of safety awareness among staff members. She highlighted significant investments in new cybersecurity, IT upgrades and staff training. These initiatives had been approved by the board.

Mlisana said the risks the NHLS identified after the attack were vulnerability to phishing attacks, end-point malware, credential theft and unauthorised network access. “But measures have been put in place to counter these,” she added. 

According to evidence before the committee, a “two-step” verification system at the NHLS was only introduced recently.

The cost of strengthening the NHLS’s IT system after the attack now stood at R300-million, and Mlisana said more still needed to be done. The costs included R15-million for security operations services for three years; R28-million for new desktops and laptops; R164-million for safe switches, firewalls and enhanced security for five years; and R94-million for an upgrade of the data warehouse. 

“There are quite a few more upgrades to come,” Mlisana said.

“The cyberattack occurred on 21 June. I will never forget that date,” she added. The busy laboratories suddenly went from 400,000 tests per day to none. “We had to stop everything. Everything had to be done manually. We had to create an essential diagnostic list so we could do the important and critical tests first.

“Hardly anything came through in July. We were un­­able to access our systems for a full six weeks. This caused a huge backlog –  clinics and hospitals were sending work but these had to be put on the system.” 

Only now, nine months after the attack, Mlisana said, was the NHLS back to its pre-attack volumes.

Minister of Health Aaron Motsoaledi responds to media questions about the 2025 Budget Review and speech at Nieuwmeester Dome in Cape Town on 12 March. (Photo: Jeffrey Abrahams / Gallo Images)

Effect on patients

Doctors in the state sector, speaking to Daily Maverick on condition of anonymity, said praise should be given to NHLS personnel who were inventive and created WhatsApp groups to mitigate the crisis. In emergencies, some wrote results on their hands and ran upstairs to assist the clinicians. 

Analysing the cyberattack in research published in the South African Medical Journal, haematologist Professor Sumaiya Cassim said more research was needed to determine the exact extent of the attack on patients. Some of their tests took twice as long as usual to complete. 

“The human and material cost of this cyberattack is still to be determined. Future cyberattacks of this nature are likely to occur, hence the urgent need for investment in cybersecurity,” she added.

“The NHLS’s downtime standard operating procedure was instituted. However, this [SOP] had no contingency plan for a cybersecurity breach, and was clearly not fit
for purpose. The prolonged, complete shutdown of all network services ensued. 

“All NHLS staff, including management, pathologists, registrars, technologists, scientists and support staff were unprepared for such an attack. As this cyberattack affected all aspects of the NHLS’s operations, a ready-to-apply business continuity plan was required and, unfortunately, such a plan was not available,” Cassim wrote. 

“Staff were left to their own devices because senior leadership had no ready solution. Adequate and timely additional support was not provided, which led to increased workloads and inevitable pressure. Staff levels of anxiety were exacerbated by uncertainty regarding income and job security. Furthermore, there was no informed indication as to when the situation would be resolved.” 

Cassim added that doctors could not request specific tests and had to collect paper results manually or get them through other channels like WhatsApp. She added that turnaround times for test results were “immediately prolonged, and in most cases doubled”.

Dr Karl le Roux, a DA member of Parliament. (Photo: Supplied)

Improved management

Dr Karl le Roux, who is a DA member of Parliament, said he was aware that the password system for clinicians had been strengthened since the attack to avoid similar problems in future.

Mlisana, in turn, admitted that the NHLS had not been “the best” at consequence management. She said this issue had been brought to the board and the service would do better in future. 

“There has got to be consequence management for IT issues, otherwise we will go around in circles,” she added.

Mlisana said the NHLS had received a report from an independent contractor that undertook a forensic investigation. “We are going through it – whatever consequences have to be taken will be taken.”

In a written response to a question in Parliament, Minister of Health Aaron Motsoaledi said measures that were implemented included software that detects and responds to threats. The NHLS had also implemented a security operations centre to actively monitor and respond to cyberthreats.

“To strengthen and sustain cybersecurity in the long term, the NHLS will implement the managed endpoint security solution, which will be deployed to secure endpoints across the network, and an expansion of multifactor authentication will be introduced across more systems to enhance access control,” Motsoaledi added.

In October 2024, he said the decryption of historical data held by the NHLS was continuing and there was no set date for the completion of this project.

Reporting on the safety of other health systems in the country, Motsoaledi said: “Each of the health entities operate their own IT system independently from each other and the Department of Health. The entities have reported that they have implemented measures to prevent a cyberattack based on historical information about how cyberattacks are known to occur. 

“These measures will prevent attacks where the perpetrators use the anticipated approach. Despite institutions investing significantly in cybersecurity, we still see reports of cyberattacks around the world. This is mainly because the perpetrators are always innovating new methods of cyber­attacks that evade the software systems that prevent such attacks.” 

Vulnerability exposed

• In July 2024, Minister of Public Works Dean Macpherson said cybercriminals had stolen at least R300-million in the past 10 years, but this amount could be higher as investigations continued. The Portfolio Committee on Public Works also received reports that R55-million had been lost to hackers in March, April and November 2024.


• The Government Pensions Administrative Agency was targeted by the ransomware group LockBit in February 2024, but the system could be shut down and pension payouts were not affected.


• The IT systems of the South African Bureau of Standards were also hacked in 2024.


• The Presidency mentioned in December 2024 that the two most noted cyberattacks had been on the National Health Laboratory Service and the state-owned weapons ­manufacturer Denel.


• In January, Minister of Cooperative Governance and Traditional Affairs Velenkosini Hlabisa said information received from the State Security Agency (SSA) revealed that several municipalities in South Africa were found to have unsafe IT systems.

“The SSA also assessed several municipalities and found that they were not adequately protected against cyberattacks,” Hlabisa said in his response to a question in Parliament. “The main causes of these vulnerabilities are outdated infrastructure, a lack of ICT and cybersecurity skills, and not implementing the recommendations made during their assessments.” DM

This story first appeared in our weekly Daily Maverick 168 newspaper, which is available countrywide for R35.