Ransomware Attack on Synnovis Affects London Hospitals

Synnovis, a UK-based medical laboratory services provider encountered a ransomware attack that disrupted patient services at several NHS hospitals in London. Operations at the following hospitals and care centers were affected:

  • Guy’s Hospital
  • King’s College Hospital
  • St Thomas’ Hospital
  • Evelina London Children’s Hospital
  • Royal Brompton Hospital
  • Care sites in six London boroughs: Bexley, Lewisham, Greenwich, Bromley, Lambeth, and Southwark.

Synnovis, a diagnostic and pathology services provider, posted an advisory on its customer service website to notify everyone that its systems are inaccessible. The provider launched an investigation to find out the reason for the outage. Synnovis advised the impacted NHS Trusts that it had encountered a malware attack. Later, it sent an email to report that it was a ransomware attack and declared a critical incident emergency status. Synnovis, the Cyber Operations Team, and the National Cyber Security Centre are working on recovering systems and data, but they cannot confirm when it will be finished.

The impacted hospitals have proven business continuity programs in place for critical incidents like ransomware attacks. They continue to offer patient care, however, the attack has significantly affected the provision of several services. The affected hospitals still provide emergency services, such as urgent care centres, A&E, and maternity services. But they have stopped providing pathology services, and fast-turnaround blood tests. Blood transfusions are specifically impacted. Consequently, all non-emergency pathology consultations were postponed or rerouted to other healthcare providers. Hospital employees were advised only to obtain emergency blood samples.

Patients who need to access emergency services can dial 999 or use NHS 111 via the NHS App, on the web, or on the telephone. Patients must show up at appointments except if the clinic team informs them otherwise. Presently the total scope of the attack, and the effect on patient information, is unknown. As soon as more data is available, a report will be provided consistent with ICO requirements.

As per the Information Commissioner’s Office (ICO), hospitals in the United Kingdom encountered 215 ransomware attacks since 2019. In 2023, ransomware attacks hit record levels, having a minimum of 1,231 attacks in all industries. Government authorities are concerned that many attacks aren’t reported, which makes it hard to monitor compliance with data privacy regulations like HIPAA laws.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA