Pathology services provider says organisations whose data was affected by the disruptive ‘smash and grab’ attack, reportedly perpetrated by Russian cybercriminals, will be notified by the end of next week
A “forensic” investigation into a June 2024 cyberattack that significantly impacted pathology services provided for two NHS trusts in London has formally concluded, more than 16 months after the incident took place.
Synnovis, which is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospitals NHS Trust and private-sector testing firm Synlab, said this week that organisations whose data was affected are now being contacted.
The ransomware attack, reportedly perpetrated by the Qilin gang, forced Synnovis to divert non-urgent blood tests and result-processing to other pathology labs. It also caused the NHS to make an urgent plea for donations of blood types O positive and O negative to minimise the need for pathology checks.
The cyberattack is estimated to have cost Synnovis £32.7m and impacted services at five NHS trusts, as well as other care-service providers.
Minister for AI and online safety Kanishka Narayan told MPs this week that the attack had caused delays to more than 11,000 outpatient and elective procedure appointments and contributed to the death of one patient.
Announcing the end of investigations into the extent of the data breach, Synnovis chief executive officer Mark Dollar said the cyberattack was a “smash-and-grab” raid.
The firm said the stolen data was “unstructured, incomplete and fragmented” and that a large team of forensic experts and data specialists had taken more than a year to work out what had been compromised.
Synnovis said the need to use highly specialised platforms and bespoke processes to piece the extent of the attack together were factors that had “heavily influenced” the duration of the investigation.
Related content
- Cancelled appointments top 6,000 but NHS claims most services now ‘near normal’ after cyberattack
- Criminals claim release of sensitive data after London hospitals cyberattack
- NHS cyberattack: Urgent call for blood donors as reports warn of ‘many months’ to recover
It said organisations affected by the attack were expected to have been contacted by 21 November, and that under UK data-protection law it would be up to those organisations to contact affected individuals.
CEO Dollar said it was clear that last year’s cyberattack had caused a great deal of disruption, concern and upset to patients, frontline NHS colleagues, and other service users.
“We sincerely apologise for this,” he said. “I must also recognise and thank our own people who worked tirelessly to minimise any impact and remained dedicated to patient care. It has taken more than a year of painstaking investigation to decipher and piece together the data stolen in this smash-and-grab cyberattack. I’ve seen first-hand the scale of the challenge – even for leading cyber experts – to tackle the random and fragmented nature of the data scraped from our systems. Our focus now turns to notifying the organisations affected. We are offering our full support as they determine their next steps.”
Synnovis said that none of the IT infrastructure that was impacted by the cyberattack remains in use.
It said that within four months of the cyberattack the partnership had rebuilt a new blood-transfusion platform, then gone on to complete a substantial cloud migration of its core systems.
Synnovis said that by November last year it had rebuilt more than 75 applications and “reconnected a vast pathology estate spanning seven locations from the ground up”, including over 65 scientific analysers and more than 120 individual connections.
