Lasting Fallout From the June 2024 Synnovis Attack
When the Qilin ransomware group struck Synnovis in June 2024, the immediate consequences were severe: blood testing across South East London was severely impaired, hospitals canceled operations, delayed treatments, and blood supplies were left in what officials described as a "very fragile position." Warnings were issued that only the most critical transfusions might be prioritized. Now, more than 18 months later, internal documents reviewed by Recorded Future News reveal the disruption is far from over for at least one NHS trust in the region.
The attack also carried a significant data theft component. Reporting at the time indicated that information relating to nearly one million NHS patients may have been exposed, including individuals living with conditions such as cancer and sexually transmitted infections. Notably, many of those patients were not formally notified until late 2025. The Information Commissioner's Office declined to comment on the specifics of the Synnovis case, stating that its investigation into the incident remains ongoing.
NHS England's Official Position vs. Reality on the Ground
NHS England has publicly stated that 10,152 acute outpatient appointments and 1,710 elective procedures were postponed as a direct result of the cyberattack, and that by the end of 2024, services had been restored. However, freedom of information responses obtained from affected organizations tell a more complicated story. NHS England did not respond to a request for comment on the discrepancy.
At South London and Maudsley NHS Foundation Trust (SLaM), pathology systems have still not been restored as of the time of publication. The trust continues to operate in business continuity mode, without electronic requesting or reporting capabilities, relying instead on paper processes and manual data uploads. Staff were warned explicitly not to depend on the timely return of blood results, and critical findings are being communicated by telephone, while full reports are delivered as paper documents or PDFs and manually entered into patient records.
161,000 Delayed Pathology Reports and Counting
The scale of the backlog at SLaM is significant. As of early January 2026, the trust estimated that the entry of 161,560 pathology reports into patient records had been delayed. These are not merely administrative inconveniences — delayed or missing results carry genuine clinical risk, including the chance that important findings are missed entirely or acted upon too late for effective intervention.
Compounding the problem, documents show that since the attack, no pathology reports for SLaM patients have been available through the London Care Record, a shared platform used across NHS organizations throughout the capital, and that normal service has not resumed for the trust.
Professor Derek Tracy, the trust's chief medical officer, acknowledged the difficulty: "The disruption has been a challenge for staff and services, but through the efforts in particular of our pathology team at SLaM, we have worked to mitigate risks as best we can."
SLaM itself acknowledged that its workaround processes carry inherent risks, including delays, transcription errors, and the potential for patient misidentification. By January 2026, the trust had recorded 122 patient safety incidents involving incorrect, unavailable, or delayed pathology results.
A Patient Death Linked to the Attack
The most serious documented outcome came from King's College Hospital NHS Foundation Trust, which recorded a patient death in which the cyberattack was considered a contributing factor. The trust noted, however, that it was not possible to determine whether the attack directly affected the outcome. Recorded Future News understands the death occurred in a complex clinical case. It was identified through an incident reporting field that was added specifically after the cyberattack, and a delay in receiving a blood test result was among the factors recorded as contributing to the outcome.
Patient safety specialists caution against reading too much into the classification — or too little. Nick Woodier of the Health Services Safety Investigations Body (HSSIB) explained the nuance: "Healthcare is a complex socio-technical system, with lots of human interactions alongside technology, and it's very difficult to unpick how those combine to produce an outcome," adding that safety science focuses on contribution rather than direct causation.
Varying Impact Across Affected Trusts
The picture across South East London varies considerably depending on the organization. Lewisham and Greenwich NHS Trust reported more than 11,000 canceled appointments, while Guy's and St Thomas' NHS Foundation Trust recorded no harm. These figures are not directly comparable, as they reflect different approaches to recording and categorizing the incident's impact.
NHS South East London, the integrated care board coordinating services across the region, stated that most affected organizations are no longer experiencing ongoing disruption and that impacted IT infrastructure has been rebuilt. It acknowledged that analysis of the incident is still ongoing but offered no detailed breakdown of the total impact.
National Data and Ongoing Investigations
At the national level, the Department of Health and Social Care recorded six cyber-related incidents across the NHS in 2024. Two of these were classified as posing "potential clinical harm," defined as incidents where more than 50 patients were considered at risk. None were recorded as causing excess fatalities.
The HSSIB is currently conducting an investigation into how healthcare organizations respond when electronic patient record systems lose functionality. The probe is examining how prepared staff are to revert to manual processes and whether existing contingency plans are effective in practice.
Wider Research Raises Systemic Concerns
The Synnovis incident has also attracted academic attention. A recent study by King's College London found that cyber incidents and other digital outages can produce cascading effects on clinical care, particularly where services depend on tightly integrated systems and real-time data access. The paper described ransomware as the most significant current cyber threat to the NHS and warned that a single major technology failure could have serious consequences for patient safety. It cited the Synnovis attack as a concrete illustration of the risks posed by supply-chain dependencies and uneven resilience across different parts of the health service.
In its FOI response, SLaM said it had not been possible to quantify the full impact of result delays on diagnosis or treatment outcomes, despite the documented patient safety incidents linked to missing or delayed pathology data — a candid admission that reflects the difficulty of fully measuring harm in complex healthcare environments.
Source: The Record