Key Takeaways

• The ransomware attack on Synnovis resulted in an estimated £32.7 million loss, impacting profits for 2024 and 2025.
• Thousands of procedures were postponed, and efforts to secure and rebuild IT systems were implemented following the attack.
• The NHS has faced multiple cyber incidents in 2024, raising concerns about data security and operational pressures.

Impact of Cyber Attack on Synnovis

In June 2024, Synnovis, a pathology provider for the NHS, suffered a ransomware attack that disrupted services across south-east London. This incident led to the postponement of thousands of elective procedures and outpatient appointments at Guy’s and St Thomas’s NHS Foundation Trust as well as King’s College NHS Foundation Trust, resulting in significant financial ramifications.

According to accounts filed with Companies House on January 7, 2025, the total estimated losses for Synnovis in 2024 are approximately £32.7 million. This figure comprises various costs, including £5.6 million in payroll expenses, £5.8 million in non-payroll expenses, and additional operational costs. Specific expenditures also include £6.3 million for IT infrastructure development, £3.2 million for other operational costs, and £11.7 million attributed to the activities directly affected by the cyber incident. The company’s profits, previously reported at £4.3 million for 2023, have been severely impacted moving forward.

The accounts detail that the attack has considerably affected profitability for both 2024 and 2025; however, management remains optimistic about returning to profitability in the long term, thanks in part to ongoing contracts in south-east London. The filing notes that investigations into the cyber attack and its impact on data security are ongoing, with uncertainty about whether patient information was compromised or leaked.

To address security concerns, Synnovis has implemented additional security measures, including a legal injunction to restrict the misuse of stolen data. Furthermore, the company has redesigned its IT infrastructure and transitioned to a hosted cloud environment, enhancing data security protocols.

Notably, Digital Health News reported in September 2024 that improved security practices, such as two-factor authentication, could have potentially mitigated the risks associated with the cyber attack. A spokesperson for Synnovis confirmed that significant resources were mobilized shortly after the attack to restore operations. By late autumn, they successfully reinstated user access to previously available services. Blood testing for GP services resumed in September 2024, with blood transfusion IT systems being restored by October.

The repercussions of the cyber attack extend beyond financial losses. A board paper from Guy’s and St Thomas’ Foundation Trust highlighted operational difficulties due to the attack, resulting in a considerable deficit through the fiscal period. Furthermore, plans for relocating Synnovis’ laboratory have sparked union-led protests, underscoring the attack’s adverse effects on staff morale and welfare.

The NHS as a whole faced a series of cyber incidents in 2024, impacting various trusts, including NHS Dumfries and Galloway and Alder Hey Children’s NHS Foundation Trust. These repeated incursions emphasize the pressing need for robust cybersecurity measures across the healthcare sector. Stakeholders have expressed concerns about the ongoing risks associated with data vulnerability and operational strain exacerbated by such attacks. South East London Integrated Care Board, along with other impacted NHS trusts, has been approached for comments on the situation.

The content above is a summary. For more details, see the source article.