Cyber attack cost Synnovis estimated £32.7m in 2024
- 20 January 2025
- The cyber attack on Synnovis in June 2024 cost the pathology provider £32.7m, according to company accounts
- Profitability of the business in 2024 and into 2025 was disrupted by the attack, which reported a profit of £4.3m in 2023
- Investigations are continuing into whether patient data was published on the dark web
The cyber attack on NHS pathology provider Synnovis led to an estimated loss of £32.7m, disrupting profits for 2024 and 2025, according to accounts filed on Companies House.
Synnovis was hit by a ransomware attack in June 2024, which disrupted services in south east London for several months, with thousands of elective procedures and outpatient appointments postponed at Guy’s and St Thomas’s NHS Foundation Trust and King’s College NHS FT.
An accounts filing for 2023, published on 7 January 2025, shows “estimated direct losses in-year” for 2024 totalling £32.7m, including £5.6m of pay costs and £5.8m of non-pay costs.
It also lists “IT build costs” of £6.3m, “other operational costs” of £3.2m, and “cyber affected activity” of £11.7m.
Profits of £4.3m were reported for 2023.
“The cyber attack has disrupted the profitability of the business in 2024 and into 2025, yet it is expected the business will return to profitability in part due to the nature of the long term SEL contracts,” the document states.
It also says that “investigations into the attack and any possible impact to data continues”, with it unclear if patient information was leaked onto the dark web.
“Synnovis has made use of additional tools, including securing an injunction – a legal mechanism designed to protect employees and patients by limiting the downloading, sharing or misuse of the stolen data,” it says.
The document adds that “the IT infrastructure and methods of access to it have been redesigned and rebuilt in a hosted cloud environment, resulting in greater levels of system and data security”.
Digital Health News reported in September 2024 that the attack on Synnovis could potentially have been prevented by two-factor authentication.
A spokesperson for Synnovis told Digital Health News: “Our 2023 accounts filing with Companies House note that the business was subject to a criminal cyber attack in June 2024.
“In the months following the cyber attack, every available resource was dedicated to restoring services and rebuilding systems.
“By late autumn, we had restored user access to all services that were available prior to the cyber attack.”
GP blood testing across south east London was resumed in September 2024 and blood transfusion IT systems at Guy’s and St Thomas’ were restored in October 2024.
Meanwhile, a board paper from Guy’s and St Thomas’ FT, published on 23 October 2024, said: “The trust’s annual plan for 2024/25 is to break even.
“To the end of August 2024 (month 5) the trust delivered a deficit of £38.4m against the planned £7.0m deficit.
“The variance reflects the challenges the trust is experiencing as a result of operational pressures, including the cyberattack on Synnovis.”
In December 2024, Synnovis laboratory announced plans to strike over plans to move the laboratory’s location. Trade union Unite said that the cyber attack had “an alarming impact on staff”.
The NHS was subject to several cyber incidents in 2024 including attacks on NHS Dumfries and Galloway, Alder Hey Children’s NHS FT, Liverpool Heart and Chest Hospital and Royal Liverpool University Hospital.
Digital Health News approached South East London Integrated Care Board, Guy’s and St Thomas’ NHS FT and King’s College Hospital NHS FT for comment.
