Full Report
A patient’s death was linked to the 2024 ransomware attack on Synnovis, which disrupted NHS facilities
Analysis Summary
# Incident Report: Synnovis Ransomware Attack Leading to Patient Death
## Executive Summary
A major ransomware attack, attributed to the Qilin group, targeted Synnovis, the pathology services provider for several London NHS Trusts in June 2024. The incident resulted in severe operational disruption, including delayed blood test results, which was officially linked as a contributing factor to the "unexpected" death of at least one patient. Response efforts focused on service restoration amidst widespread cancellation of appointments and operations across affected NHS facilities.
## Incident Details
- Discovery Date: June 3, 2024 (The date the attack began/impact was realized)
- Incident Date: June 3, 2024
- Affected Organization: Synnovis (Pathology Services Provider for NHS Trusts)
- Sector: Healthcare (Public Sector)
- Geography: London, UK
## Timeline of Events
### Initial Access
- Date/Time: June 3, 2024
- Vector: Ransomware deployment (implied successful initial compromise)
- Details: The attack brought pathology and blood testing services across multiple NHS trusts to a halt.
### Lateral Movement
- Details: Sufficient access was achieved to disrupt widespread pathology services across multiple NHS trusts (including King’s College and Guy’s and St Thomas’).
### Data Exfiltration/Impact
- **Patient Harm:** A patient at King’s College Hospital NHS Foundation Trust died unexpectedly, with a subsequent safety investigation identifying a long wait for a blood test result due to the cyber-attack as a contributing factor.
- **Operational Impact:** Disruption caused the postponement of 1710 operations and disrupted more than 10,000 appointments across affected trusts.
### Detection & Response
- Detection: The incident was identified when pathology services collapsed on or around June 3, 2024.
- Response actions taken: Affected Trusts, including King's College, initiated patient safety incident investigations following adverse outcomes.
## Attack Methodology
- Initial Access: Unknown (Likely exploiting a vulnerability or successful phishing/credential compromise leading to deployment).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed, but necessary to achieve widespread service disruption.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Used to impact services across multiple NHS trusts via the centralized pathology provider Synnovis.
- Collection: Not detailed, but typical of ransomware campaigns.
- Exfiltration: Not applicable/detailed.
- Impact: Operational disruption via encryption/disabling of pathology systems, leading directly to patient care delays and death.
## Impact Assessment
- Financial: Not detailed (implied high incident response and recovery costs).
- Data Breach: Not explicitly detailed, though system compromise implies potential data exposure/theft inherent in ransomware.
- Operational: Severe disruption; over 10,000 appointments disrupted, 1710 operations postponed, critical diagnostic services halted.
- Reputational: Significant negative public impact due to the confirmed link between the cyber-attack and patient fatality.
## Indicators of Compromise
- *Note: No technical IoCs were provided in the source material.*
- Behavioral indicators: Failure of pathology and blood testing systems; large-scale cancellation of medical appointments and surgical procedures in London NHS Trusts.
## Response Actions
- Containment: Not detailed, but immediate prioritization would have been isolating affected systems.
- Eradication: Not detailed.
- Recovery: Service restoration efforts across multiple NHS trusts facing massive backlogs in diagnostic testing.
- Investigation: Patient Safety Incident Investigations conducted by affected Trusts (e.g., King's College Hospital) to confirm the link between service degradation and patient outcomes.
## Lessons Learned
- The direct, catastrophic link between IT operational failure (pathology services) and loss of human life in healthcare settings must be critically assessed.
- Disruption to critical diagnostic services causes immediate, measurable patient harm.
## Recommendations
- Mandate and rigorously audit comprehensive business continuity and disaster recovery plans specifically for pathology and core diagnostic services across all third-party IT providers serving NHS trusts.
- Increase investment in hardening critical healthcare infrastructure against known ransomware groups like Qilin.
- Review SLAs and dependencies on third-party pathology providers (Synnovis) to ensure resilience against single points of failure.