Major London hospitals have had to cancel operations and blood transfusions after being hit by a cyber-attack that led to them declaring it a “critical incident”.
Seven hospitals run by two NHS trusts have suffered serious disruption to their services as a result of a ransomware attack targeting a private company that analyses blood tests for them.
The hospitals affected include Guy’s, St Thomas’ and King’s College as well as the Evelina children’s hospital, Royal Brompton and Harefield specialist heart and lung hospitals and also the Princess Royal hospital in Orpington.
The incident’s impact also meant that at least one of the hospitals had to postpone or ask other hospitals to perform some scheduled childbirths by planned caesarean section.
The hackers inserted a piece of software into Synnovis’s IT system which locks up a computer system to extort a payment for restoring access, it is understood.
NHS England said that while emergency care and outpatient appointments at the seven hospitals were operating as normal, elective operations there had been cancelled or moved elsewhere. The NHS’s London region triggered “mutual aid” procedures, under which hospitals elsewhere in the capital helped those affected, to help ensure that at least some of the affected hospitals’ work still went ahead.
The attack, which began on Monday, was on Synnovis, a partnership between the Guy’s and St Thomas’ (GSTT) and King’s College trusts and private firm Synlab to analyse blood tests. The trusts have contracts totalling just under £1.1bn with Synnovis to provide that vital service.
Prof Ian Abbs, GSTT’s chief executive, wrote to its staff on Monday evening to warn them that “our pathology partner Synnovis experienced a major IT incident earlier on Tuesday, which is ongoing and means that we are not currently connected to the Synnovis IT servers.
“This is having a major impact on the delivery of our services, with blood transfusions being particularly affected.”
Mark Dollar, Synnovis’s chief executive, said it had set up a taskforce of experts from the firm and the NHS who are “working to … take the appropriate action needed.
“This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services. This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect,” Dollar added.
It is unclear how or when Synnovis and the trusts will be able to repel the attack.
Synnovis has reported the attack to the information commissioner and is working with the National Cyber Security Centre and Cyber Operations Team.
One healthcare worker said that while Synnovis’s labs were still functional, communication with them was limited to paper only, imposing a huge bottleneck and forcing cancellation or reassignment of all but the most urgent bloodwork. Direct connections with Synnovis’s servers were cut to limit the risk of the infection spreading.
Increasingly, ransomware attacks also involve the exfiltration of sensitive data, with a threat to publish the hacked information if a payment is not forthcoming.
This is the third attack in the last year to hit part of the Synlab group – Synnovis’s parent company – which is a German medical services provider with subsidiaries across Europe. In June 2023, ransomware gang Clop hacked and stole data from the French branch of the company just days after it hit headlines for bringing down a payroll provider for companies including BA, Boots and the BBC. Clop published the stolen data later that summer.
In April this year, Synlab’s Italian subsidiary was hit by a different ransomware group, called “Black Basta”. In that attack, the group stole 1.5TB of data, and again published it when no ransom was paid.
Synlab UK has been approached for comment.
Healthcare services are popular targets internationally for ransomware gangs. Underinvestment in IT can leave systems vulnerable to attack, while the risk to patient health means many providers are eager to restore services as quickly as possible, regardless of the cost.
• This article was amended on 5 June 2024 to remove a reference to Orpington being in Kent; it is in the London Borough of Bromley.