London hospitals report critical incident after cyber attack

Unlock Editor’s Digest for free

FT editor Roula Khalaf selects her favourite stories in this weekly newsletter.

A critical incident was reported at NHS hospitals in London after a laboratory service provider was affected by a cyberattack and operations and other procedures had to be cancelled.

A “serious IT incident” has affected the pathology departments of King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trust, which operates three sites, the departments said on Tuesday.

The Synnovis attack also affected several medical practices in south-east London, causing some patients to cancel their appointments and others to be referred to other healthcare providers in the British capital.

The incident left hospitals disconnected from the provider’s IT servers, delaying the delivery of blood transfusions. The outage could cause problems for emergency departments that rely on quick blood test results.

NHS London said Synnovis had fallen victim to a ransomware cyberattack that had a “significant impact” on services at the affected hospitals.

“We will continue to keep local patients and the public updated on the impact on services,” it added.

Mark Dollar, CEO of Synnovis, which announced its partnership with the hospitals in April 2021, said the attack compromised all of the company’s IT systems, “resulting in disruptions to many of our pathology services.”

“It is still early days and we are trying to understand exactly what happened,” he said, adding that the people behind the attack “had no qualms about who their actions might affect.”

The incident has been reported to law enforcement and the Information Commissioner’s Office, the data protection watchdog. The National Cyber ​​Security Centre, a division of the intelligence agency GCHQ, has also been asked to investigate the attack.

In an email seen by The Sunday Times, Professor Ian Abbs, chief executive of the Guy’s and St Thomas’ Trust, which includes the Evelina London Children’s Hospital, told staff that the “critical incident” had “significantly impacted the delivery of our services, particularly affecting blood transfusions”.

“Some activities have already been cancelled or diverted to other providers at short notice as we prioritise clinical work that we can do safely,” he added.

The NHS has been hit by significant ransomware attacks over the past decade. The ‘WannaCry’ attack on critical systems in 2017 cost the NHS an estimated £92 million and resulted in the cancellation of 19,000 patient appointments.

Another hacker attack in 2022 brought down the non-emergency number 111 and disrupted the administration systems for mental health services and emergency prescriptions.

Last year, the UK government announced a strategy to strengthen cybersecurity in healthcare, including identifying parts of the healthcare system where an attack would cause the greatest harm to patients.

The Department of Health and Social Care said: “Patient safety is our priority and support is being offered to affected organisations.”