NHS Cyberattack in UK Inflicted Long-Term Harm on Patient Health

By Ryan Gallagher | January 14, 2025

A cyberattack that paralyzed hospitals and clinics in London last year resulted in harm to dozens of patients, leading to long-term or permanent damage to their health in at least two cases, according to data obtained by Bloomberg News.

In June 2024, a Russian hacking gang targeted Synnovis, a contractor that provides blood testing, transfusion and other pathology services to the UK’s National Health Service, or NHS. The incident plunged health-care providers predominantly in the southeast of the city into crisis.

The breach crippled Synnovis’ ability to function and led to months of disruption at scores of hospitals and doctors’ surgeries. Medical facilities postponed more than 10,000 appointments and canceled more than 1,700 elective procedures as a result of the incident, according to the NHS.

Health-care professionals across at least four boroughs of London recorded two cases of major harm, 11 cases of moderate harm, and more than 120 cases of minor harm as a direct consequence of the cyberattack, according to NHS data obtained by Bloomberg News. Details about the specific damage to individuals’ health was not available due to patient confidentiality.

Major harm amounted to “long-term or permanent impact on physical, mental or social function or shortening of life-expectancy,” according to an NHS document reviewed by Bloomberg News. Moderate harm was classified as having “medium-term impact on physical, mental or social functioning.” Minor harm would result in a mild, short-term impact on health.

“These numbers are substantial, and they show that a cyberattack can be catastrophic and life-changing for people,” said Saif Abed, a former NHS doctor and expert in cybersecurity and public health.

The number of affected patients may be higher, Abed added, as it’s difficult to identify links between a cyber incident and specific harms, which can arise months or years later due to a delay in treatment. In some cases, dialysis patients had their treatments disrupted, and blood-testing services dropped to 10% immediately after the attack, Bloomberg News previously reported.

Ransomware attacks have surged by some 300% in the last decade, and health care is one of the most affected industries, according to Microsoft Corp. findings.

The NHS has been a victim before. In 2017, a strain of ransomware known as WannaCry disrupted hospitals and clinics across the UK for days, leading to the cancellation of an estimated 19,000 appointments. A group of London hospitals affected in the 2024 intrusion had known for years about digital flaws that left them vulnerable to an attack, Bloomberg previously reported.

In the US, a report last year from the Office of the Director of National Intelligence warned that attacks on American health organizations had delayed medical procedures and disrupted patient care because of multi-week outages.

It’s rare for health-care organizations to publish data on harms caused to patients as a result of the incidents. In a devastating attack on Ireland’s hospitals in 2021, for instance, Irish health executives said they didn’t have numbers on specific harms inflicted, though scores of patients had treatments for cancer and other serious conditions postponed.

A portion of the data on the Synnovis attack was provided to Bloomberg News under the Freedom of Information Act by the South East London Integrated Care System, an NHS organization that represents publicly funded health and care providers. The figures included primary care services, such as surgeries, in Greenwich, Lambeth, Lewisham and Southwark. Additional data was provided to Bloomberg News by two hospital groups that were affected by the hack: the Guy’s and St Thomas’ NHS Foundation Trust and the King’s College Hospital NHS Foundation Trust.

A spokesperson for NHS South East London said that the Synnovis attack had been very disruptive as testing capacity had been significantly reduced as a result of it.

“However, the NHS has extensive procedures in place for (and extensive experience of) dealing with incidents, and these were implemented,” said the spokesperson. “This included requesting, and receiving, crucial mutual aid and support from a wide range of partners.”

A Russian criminal gang named Qilin took responsibility for the ransomware attack and said that it had demanded $50 million from Synnovis to unlock the computers it had shut down. The group later dumped online a trove of sensitive medical records stolen from Synnovis’ computers, including documents sent by doctors requesting biopsies and blood tests for people in all regions of the UK and some hospitals in Ireland.

A spokesperson for Synnovis said in an emailed statement that “almost all services” are operational again, but added that work remained ongoing to fix back-office computers that were not critical to health-care operations.

“We are very aware that this has been an extremely challenging and sometimes distressing period for patients, service users and front-line NHS colleagues,” the spokesperson said. “Their patience and understanding over these past months is truly appreciated, and we are incredibly sorry for the inconvenience and upset caused by this criminal attack.”

Was this article valuable?

Here are more articles you may enjoy.