Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
NHS hospitals in London have declared a critical incident after being affected by a cyber attack on a laboratory services provider, leading operations and other procedures to be cancelled.
A “major IT incident” affected the pathology departments of King’s College Hospital and of Guy’s and St Thomas’ NHS Foundation Trust, which runs three sites, the units said on Tuesday.
A number of GP surgeries in south-east London were also hit by the attack on Synnovis, leading some patients to have appointments cancelled and others to be redirected to different health providers in the UK capital.
The incident has left hospitals disconnected from the provider’s IT servers and delayed the delivery of blood transfusions. The outage could cause problems for emergency departments reliant on quick blood test results.
NHS London said Synnovis had been “the victim of a ransomware cyber attack” that was having a “significant impact” on services at affected hospitals.
“We will continue to provide updates for local patients and the public about the impact on services,” it added.
Mark Dollar, chief executive of Synnovis, which announced its partnership with the hospitals in April 2021, said the attack had affected all its IT systems, “resulting in interruptions to many of our pathology services”.
“It is still early days and we are trying to understand exactly what has happened,” he said, adding that the people behind the attack had “no scruples about who their actions might affect”.
The incident has been reported to law enforcement agencies and the Information Commissioner’s Office, the data watchdog. The National Cyber Security Centre, a branch of signals intelligence agency GCHQ, has also been asked to investigate the attack.
In an email obtained by the Sunday Times, Professor Ian Abbs, chief executive of Guy’s and St Thomas’ trust, which includes the Evelina London Children’s Hospital, told staff the “critical incident” was “having a major impact on the delivery of our services, with blood transfusions being particularly affected”.
“Some activity has already been cancelled or redirected to other providers at short notice as we prioritise the clinical work that we are able to safely carry out,” he added.
The NHS has been hit by significant ransomware attacks over the past decade. The 2017 “WannaCry” attack on critical systems is estimated to have cost the NHS £92mn and resulted in 19,000 patient appointments being cancelled.
Another hack in 2022 took down the non-emergency 111 service and disrupted management systems for mental health services and emergency prescriptions.
Last year, the UK government announced a strategy for strengthening cyber security in healthcare, which includes identifying parts of the healthcare system where an attack would cause the most harm to patients.
The Department of Health and Social Care said “patient safety is our priority and support is being offered to the impacted organisations”.