Synnovis cyber attack caused two cases of severe patient harm
- 23 January 2025
- At least two patients have suffered long-term or permanent damage to their health, as a result of the cyber attack on NHS pathology provider Synnovis
- Latest figures show there were also at least 11 cases of moderate harm, and more than 120 cases of low harm
- Cyber security expert Dr Saif Abed described the figures as "likely just the tip of the iceberg"
At least two patients have suffered long-term or permanent damage to their health as a result of the cyber attack on NHS pathology provider Synnovis, latest figures have revealed.
The ransomware attack on 4 June 2024, caused widespread disruption to NHS services in London, with 10,152 acute outpatient appointments and 1,710 elective procedures postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust.
Initial figures released by NHS South East London Integrated Care Board (ICB) in November 2024, recorded five cases of moderate harm and 114 cases of low harm as a result of the attack, but did not report any cases of serious harm.
However, NHS data obtained by Bloomberg News revealed that healthcare professionals across at least four London boroughs recorded two cases of severe harm, 11 cases of moderate harm, and more than 120 cases of low harm as a direct consequence of the cyber attack.
NHS policy defines severe harm as when a patient has long-term or permanent damage to their health which is likely to result in reduced life expectancy, whereas moderate harm is when a patient “did not need immediate life-saving intervention” but needed or will likely require follow-up care. Low harm relates to a mild, short-term impact on health.
Responding to the latest figures, Helen Hughes, chief executive at Patient Safety Learning, said: “This latest update highlights the significant risks to patient safety posed by cyber attacks.
“These events not only disrupt care and treatment but can result in serious avoidable patient harm.
“When cyber attacks occur, healthcare providers need to be vigilant of risks to the safety of vulnerable patients from delays to care and treatment.
“They should also have robust plans to recover services, prioritising patient safety, and must ensure that there are appropriate escalation routes to minimise future harm.”
Synnovis, King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust declined to comment on the patient harm figures.
Commenting on the figures, Dr Saif Abed, founding partner and director of cybersecurity advisory services at The AbedGraham Group, said: “These figures highlight the human cost of cyber attacks that are plaguing the NHS and this is likely just the tip of the iceberg.
“I would implore Wes Streeting to demonstrate leadership on this by ordering a public inquiry into NHS cybersecurity and patient safety as a matter of urgency or, at the very least, a Health Select Committee session on the issue.”
Digital Health News contacted NHS South East London ICB for comment but had not received a response at the time of publication.
A 2023 accounts filing to Companies House, published on 7 January 2025, shows that attack on Synnovis led to an estimated loss of £32.7m in 2024.
The document also reveals that Synnovis is investigating whether patient data was leaked onto the dark web.
Digital Health News reported in September 2024 that the attack on Synnovis could potentially have been prevented by two-factor authentication.
