Synnovis ransomware attack causes major disruption to London hospitals

What happened?

A cyber-attack has forced major hospitals in London to declare a critical incident, leading to the cancellation of operations and the diversion of emergency patients. The affected hospitals, which partner with Synnovis for pathology services, include King’s College Hospital, Guy’s and St Thomas’, the Royal Brompton, Evelina London Children’s Hospital, and various primary care services. The attack occurred on Monday, severely disrupting services, particularly blood transfusions and test results, as some departments lost access to the main server.

Emergency care remains available, but many procedures have been redirected to other NHS providers as hospitals assess what can be done safely. GP services in several boroughs, including Bexley, Greenwich, Lewisham, Bromley, Southwark, and Lambeth, have also been impacted. 

Synnovis has deployed a task force of IT experts to evaluate the situation, while the NHS, in collaboration with the National Cyber Security Centre, is working to understand the full impact.

Going deeper

The ransomware attack led to the loss of 3 TB of stolen patient and staff personal information. The INC Ransom extortion gang is behind this attack and leaked the stolen data on their dark web leak site on May 6 after the NHS board refused to interact with the threat actors and ignored their ransom demands. 

See also: HIPAA Compliant Email: The Definitive Guide

What was said? 

Professor Ian Abbs, CEO of Guy's and St Thomas' NHS Foundation Trust, told Bleeping Computer, that their "pathology partner Synnovis experienced a major IT incident earlier today [June 4, 2024], which is ongoing and means that we are not currently connected to the Synnovis IT servers." He continued to tell Bleeping Compter that "This is having a major impact on the delivery of our services, with blood transfusions being particularly affected. Some activity has already been cancelled or redirected to other providers at short notice as we prioritise the clinical work that we are able to safely carry out."

In a statement, an NHS UK spokesperson said “Emergency care continues to be available, so patients should access services in the normal way by dialing 999 in an emergency and otherwise using 111, and patients should continue to attend appointments unless they are told otherwise.” To mitigate the NHS said they are “working urgently to fully understand the impact of the incident with the support of the government’s National Cyber Security Centre and our Cyber Operations team.” On May 21, NHS Dumfries & Galloway said that "services have continued to run as normal. No patient appointments or operations have had to be cancelled or rescheduled."

In the know

The INC Ransom extortion gang is a cybercriminal group known for conducting ransomware attacks. Ransomware is a type of malicious software that encrypts a victim's files, making them inaccessible until a ransom is paid. The INC Ransom gang, like other ransomware groups, typically targets organizations, encrypts their data and demands payment, usually in cryptocurrency, to provide the decryption key.

Key characteristics of ransomware gangs, including the INC Ransom gang, often include:

• Sophisticated attacks: They employ advanced techniques to infiltrate systems, often exploiting vulnerabilities or using phishing schemes.
• High ransom demands: They demand significant sums of money, sometimes millions of dollars, to decrypt the data.
• Data exfiltration: In addition to encrypting data, they might steal sensitive information and threaten to release it publicly if the ransom is not paid.
• Targeted attacks: They focus on high-value targets such as large corporations, healthcare providers, government agencies, and critical infrastructure.

Why it matters

Earlier this year, Change Healthcare, a major provider of healthcare technology and revenue cycle management solutions, experienced one of the largest ransomware attacks, highlighting a severe vulnerability in the sector. The recent recurrence of a significant ransomware attack on major London hospitals just months later suggests that the healthcare industry may not be adequately learning from past incidents or implementing effective protective measures. This repeated vulnerability points to several critical issues: 

• insufficient cybersecurity defenses, 
• inadequate staff training on best practices, 
• failure to implement lessons learned from previous attacks, and 
• resource constraints that limit the ability to invest in robust security infrastructures. 

Additionally, the reliance on third-party providers, such as Synnovis for pathology services, introduces further vulnerabilities that need to be addressed. To better protect themselves and their patients, healthcare organizations must adopt a more proactive and comprehensive approach to cybersecurity, which includes investing in advanced security technologies, enhancing staff training, learning from past incidents, and ensuring stringent cybersecurity standards for all partners and vendors.

In the news: Report reveals ransomware attacks reached record high in July

See also: How ransomware emails impact healthcare security

FAQs

What steps can healthcare organizations take to protect against ransomware attacks?

Healthcare organizations can improve their cybersecurity by investing in robust security infrastructures, providing regular staff training on best practices, learning from past incidents to enhance defenses, and ensuring all third-party partners adhere to stringent cybersecurity standards.

Read more: Getting started with the NIST cybersecurity framework

How can staff training help prevent ransomware attacks?

Staff training can help employees recognize phishing attempts, use strong passwords, follow proper protocols for data handling, and respond effectively to potential threats, significantly reducing the risk of a successful cyberattack.

What immediate actions should hospitals take when a ransomware attack occurs?

Hospitals should activate their incident response plans, isolate affected systems to prevent further spread, notify relevant authorities and cybersecurity experts, communicate with staff and patients about the situation, and work to restore critical services while ensuring patient safety.