£33m cost of cyber attack revealed

Documents released this morning show Synnovis, the pathology firm hit by a ransomware attack last June, said its “estimated direct losses in-year” included pay costs of £5.6m and non-pay costs of £5.8m.

In addition, it listed “IT build costs” of £6.3m, “other operational costs” of £3.2m and “cyber affected activity” of £11.7m.

The company, majority-owned by German firm Synlab, with a 49 per cent share held by Guy’s and St Thomas’ and King’s College Hospital foundation trusts, said it was too early to say what it might be fined by the Information Commissioner’s Office for the breach. The ICO last year indicated it would fine another healthcare IT firm £6m over a much smaller breach in 2022.

The annual accounts published today said that since the attack, “The IT infrastructure and methods of access to it have been redesigned and rebuilt in a hosted cloud environment, resulting in greater levels of system and data security. Cybersecurity training is mandatory for all employees.”

HSJ revealed in September that the attack would have been prevented by simple two-factor authentication, which is used routinely by many common IT systems.

It is still unclear what patient information was leaked onto the dark web as a result of the attack but the accounts said: “As the incident response has progressed, Synnovis has made use of additional tools, including securing an injunction – a legal mechanism designed to protect employees and patients by limiting the downloading, sharing or misuse of the stolen data.” HSJ has asked Synnovis who or what was the target of the injunction.

The company said: ”The target of the injunction is the threat actors responsible for the cyber attack and others who may attempt to misuse the stolen data.” It said because the identities of those responsible for the cyber attack are currently unknown, the injunction was granted against “persons unknown”.

Both the south east London trusts, which also run the Royal Brompton and Harefield Hospitals, do substantial amounts of international private patient work, and GSTT treated former prime minister Boris Johnson for covid-19 in 2020.

The company said while the attack “disrupted the profitability” of the business in 2024 and 2025 “it is expected the business will return to profitability in part due to the nature of the long-term south east London contracts,” which have another 11 years to run with its main customers, NHS providers in south east London.

Profits in 2023, the period covered by the latest accounts, were £4.3m.

Synnovis gets the majority of its £209m income from GSTT and King’s, with roughly 3 per cent from the private sector. Last year, it also took on pathology work for primary care across south east London, and GPs complained the shutdown in systems after the cyber attack left them “flying blind” without test results.

Valiant response

The pathology labs at the trusts were put under the control of Synnovis, which is chaired by former Monitor chief executive David Bennett, in 2021, and profits are distributed between the owners.

Mr Bennett said staff had responded “valiantly,” with many manual workarounds put in place but that “regain[ing] control of our data and rebuild[ing] our systems is necessarily a slow and painstaking process.”

The attack saw GSTT and KCH forced to cancel thousands of procedures, including cancer surgery, until systems were restored. The capital ran out of blood for transfusions as blood-matching services were inoperable.

In October, the NHS said it had estimated just five patients came to only “moderate” harm, while dozens suffered “low” harm as a result of the incident. Reports this week said two cases of “severe” or permanent harm to patients had now been identified, however.

Cost to the NHS

The £33m cost to Synnovis revealed in its accounts today does not account for the whole of the financial cost of the attack, however.

Documents seen by HSJ show a £35.7m hit to income and increase in costs to the south east London health system in the wake of the ransomware attack.

In a statement South East London Integrated Care Board said: “The financial impact of the Synnovis cyber attack has been significant and includes reduced patient care income (NHS and private patients) and costs incurred.”

Two other pathology providers in the capital took on significant amounts of work for the stricken Synnovis systems – South West London Pathology and Health Services Laboratories, which serves north central London and is majority-owned by Australian firm Sonic Healthcare. Board papers for St George’s University Healthcare FT, which hosts the main SWLP services, show it is owed £900,000 by its south east London counterparts.

The two FTs made no comment, and Synnovis was approached for comment.

This story was updated at 14.46 on 15/1/25 to include Synnovis’s comment about the injunction