Essential insight into England’s biggest health economy, by HSJ bureau chief Ben Clover.
2025 brings a flurry of almost transparency about big public interest questions.
We learnt this morning that the cost to pathology firm Synnovis of the (easily preventable) cyber attack was £33m. The information was in annual accounts that were overdue. But London Eye also saw some NHS papers saying the debacle (which saw Guy’s and St Thomas’ Foundation Trust and King’s College Hospital FT unable to perform thousands of procedures, including some births and cancer surgeries) had blown a £35.7m hole in its 2024-25 finances.
There might be some overlap in the Synnovis £33m and the NHS £35.7m.
The Synnovis numbers include about £9m of miscellaneous and £11.7m of “cyber affected activity”. South East London Integrated Care Board said its total included hits to NHS income and private sector income, along with other costs. The money GSTT and KCH weren’t paid for NHS work that they couldn’t carry out while the systems were down is not lost to the system, but the private income likely is, and the cost of transferring all those paper records back onto Synnovis’s new system definitely is.
So, we could be looking at a total cost of just under £70m, even before the Information Commissioner’s Office levies a fine. It took two years from the (much smaller) attack on electronic patient record provider Advanced in 2022 to an announcement that it would face a £6m penalty.
Of course, the ICO is reluctant to fine public sector bodies, but Synnovis is majority-owned (51 per cent) by German pathology firm Synlab.
The company’s accounts said its owners – private equity firms Elliott and Cinven plus Labcorp and Qatar Holding LLC – needn’t worry though, the company will become profitable again during the 15-year contract, which started in 2021.
The NHS would only say it was in contractual negotiations with Synnovis but a big question is – how much of the total bill are the trusts and SEL ICB on the hook for? The idea was that KCH and GSTT would share in the profits of the venture, how long will those be curtailed?
Does the Synnovis side of the bill include compensation payments to patients who came to harm? (more on that later) Does it include compensation payments to patients who had their medical information leaked onto the dark web? What happens if the company gets wound up? Who would own the new lab at Blackfriars? The accounts say Synnovis is a going concern but there is plenty of reason to think the ICO fine will be significant. Will the trusts have to put in more money to cover this? Neither is awash with cash at the moment.
Is Synnovis liable for the costs the NHS incurred (the £35.7m) as a result of its failure to keep its systems secure? Are the trusts going to issue a claim against a company they own 49 per cent of?
When the ICO fine is included and legal costs tallied up this incident might get nearer £100m in costs.
The Blackfriars injunction
Because GSTT took over the Royal Brompton and Harefield Hospitals and the associated high net-worth private patients, often from the Middle East, the issue may be even more sensitive legally.
The most intriguing part of the annual accounts was the sentence: “As the incident response has progressed, Synnovis has made use of additional tools, including securing an injunction – a legal mechanism designed to protect employees and patients by limiting the downloading, sharing or misuse of the stolen data.”
Soon after the attack, responsibility was pinned on a hacking group called Qilin – NHS bodies and law enforcement did not identify a culprit but a former head of the National Cyber Security Centre did.
So who was being injuncted here? Presumably not a hacking group in Russia or elsewhere (not famous respecters of UK law) And what are the “additional tools”?
After this piece went to press Synnovis sent a statement saying ”The target of the injunction is the threat actors responsible for the cyberattack and others who may attempt to misuse the stolen data”.
This month has seen the departure of NHS England’s IT boss, whose team were involved in the response to this and other cybersecurity incidents. London Eye understands there was considerable frustration at the lack of funding for the department. The national body has said before that the 10,000-ish suppliers to the NHS represent a significant risk to cyber security.
Patient harm
More importantly, this week also saw reporting of more serious patient harm.
As of October, SEL ICB and the trusts were saying only five people came to “moderate” harm at GSTT, while 498 patients were affected but the impact was “low” or “no” harm. This was greeted with some scepticism by clinicians inside and outside of SEL at the time.
The sheer number of delayed procedures due to the cyber attack and the inability to carry out work requiring transfusions, not to mention primary care across six boroughs being unable to get timely results and as such “flying blind”, would make only five “moderate harm” events pretty miraculous.
The NHS’s incident response process judges “moderate” harm as where a patient “did not need an immediate life-saving intervention” but needed or is likely to need other follow-up care. It is also triggered by them limiting a patient’s independence for less than six months or “affect[ing] the success of treatment, but without meeting the criteria for reduced life expectancy or accelerated disability.”
Of course, people worked heroically to mitigate the effects of the attack but it seems there were more serious consequences.
Bloomberg reported this week that two patients had come to “major harm” – which seems to match with what the NHS defines as “severe harm” – and the “moderate” total up to 11.
It is not clear whether this reflects new cases coming to light since October or an error in what SEL ICB originally released on behalf of the system.
Source
Information obtained by HSJ
Source Date
April 2024
No comments yet