St Thomas' Hospital, London
St Thomas' Hospital, London. Image: Guy's and St Thomas' NHS Foundation Trust / Facebook

Critical incident declared as ransomware attack disrupts multiple London hospitals

Operations have been canceled at several of London’s largest hospitals, and a critical incident emergency status declared, following a ransomware attack on a third-party provider leaving healthcare professionals without access to pathology services.

The attack, which was detected on Monday, impacted a company called Synnovis that provides pathology services, such as blood tests for transfusions, to a number of healthcare organizations, according to reports and internal emails published on social media.

“I can confirm that our pathology partner Synnovis experienced a major IT incident earlier today, which is ongoing and means that we are not currently connected to the Synnovis IT servers,” wrote Ian Ebbs, the chief executive at Guy’s and St Thomas’ NHS Foundation Trust, a hospital network.

Royal Brompton and Harefield hospitals, the largest specialist heart and lung centers in the United Kingdom, are also believed to be affected. The incident is also affecting King’s College Hospital NHS Foundation Trust “and primary care across south east London,” wrote Abbs, “having a major impact on the delivery of our services, with blood transfusions being particularly affected.”

Some appointments have already been canceled or patients have been redirected to other providers at short notice due to the incident. The burden on other hospitals due to extra patients may lead to a further stretching of resources and more critical incidents being declared. It is not clear how long the disruption will last for.

“I recogise how upsetting this is for patients and families whose care has been affected, and how difficult and frustrating this is for you all. I am very sorry for the disruption this is causing,” Abbs wrote.

The disruption to the blood transfusion IT system risks having a major impact on trauma cases, as only urgent blood components will be transfused when it is “critically indicated for the patient,” according to one message.

A government spokesperson said: “The Department of Health and Social Care, NHS England and the National Cyber Security Centre are working together to investigate a cyber incident affecting a number of NHS organisations in South East London. Patient safety is our priority and support is being offered to the impacted organisations.”

The attack is the latest of 215 ransomware incidents affecting the health sector in the United Kingdom since January 2019, according to personal data breaches reported to the Information Commissioner’s Office (ICO).

Ransomware attacks reached record levels in the United Kingdom last year, according to this data. Although the data suggests that incidents dropped from a record 106 in 2022 to just 32 in 2023, both the ICO and the National Cyber Security Centre have said they are “increasingly concerned” about ransomware victims failing to report incidents.

To tackle the ransomware crisis, officials at the Home Office had planned to launch a public consultation in June proposing radical measures — including requiring all victims to seek a license before making a ransomware payment —  although these plans have been delayed by the Prime Minister calling a snap election.

Attacks on the healthcare sector risk being especially impactful to patients. Earlier this year, cyber extortionists published sensitive patient data stolen from NHS Dumfries and Galloway, part of the Scottish healthcare system, in a bid to demand money from the local health board.

A ransomware attack affecting Australian health insurance business Medibank back in 2022 saw patient histories and treatment data compromised by criminals.

The criminals, seeking to extort the Australian business and the affected patients, subsequently began publishing sensitive healthcare claims data for around 480,000 individuals, including information about drug addiction treatments and abortions.

Synnovis statement

Following publication, Synnovis chief executive Mark Dollar released a statement confirming that the business — a partnership between the company SYNLAB and two London hospital trusts — had become “the victim of a ransomware attack.”

Dollar stated that the immediate impact is on patients using Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, as well as GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs.

“It is still early days and we are trying to understand exactly what has happened. A taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had, and to take the appropriate action needed. We are working closely with NHS Trust partners to minimise the impact on patients and other service users.

“Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised. We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected,” wrote Dollar.

“We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be. This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect.

Editor's Note: Story updated 3:55 p.m. London time with statement from Synnovis.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.