Investigation into cyber attack ‘could take weeks’, says NHS England

It could take weeks to complete investigations into a cyber attack affecting hospitals in London, with some patients needing to undergo repeat tests, NHS England has said.

A website and helpline has been set up for patients affected by the ransomware attack on NHS provider Synnovis, which happened on June 3.

Russian group Qilin attacked Synnovis, which provides pathology services to NHS trusts and GP services, primarily in south-east London.

Hundreds of operations and appointments are still being cancelled two weeks after the incident.

NHS England said in a statement on Friday that investigations into what happened could take weeks.

It said: “NHS England has been made aware that a cyber criminal group published data last night which they are claiming belongs to Synnovis and was stolen as part of this attack.

King’s College Hospital in London
Planned operations and outpatient appointments at King’s College Hospital NHS Foundation Trust have been postponed because of the attack (Andy Hepburn/PA)

“The National Crime Agency and National Cyber Security Centre are working to verify the data included in the published files as quickly as possible.

“We understand that people may be concerned by this and as more information becomes available through Synnovis’ full investigation, the NHS will continue to update patients and the public.

“A helpline has been set up and is available to answer questions …

“Patients should continue to attend scheduled appointments and access urgent care as normal.”

The webpage is and contains the most up-to-date information for patients.

Anyone who wishes to speak to somebody can call 0345 8778967.

NHS England said the National Crime Agency and National Cyber Security Centre “are working to verify the data included in the files published by the criminals”.

It added: “These files are not simple uploads and so investigations of this nature are highly complex and can take weeks if not longer to complete.”

Any unprocessed blood samples were made safe by Synnovis after the incident and stored in their labs.

But NHS England said, due to the time that had now lapsed, some of these samples were no longer suitable for analysis and would need to be discarded.

“Synnovis is working with the NHS trusts and GP practices to determine which samples are affected and the process for informing patient,” it said.

“We understand the distress this will cause patients who have to re-test.

“Synnovis have also put additional resources in place to ensure that urgent samples received from GP practices or hospitals can still be processed within appropriate time frames.

“Synnovis still have a copy of the data encrypted in the incident, and so historic test results will be available to clinicians once the IT systems are restored.”

Synnovis is now understood to be focused on the technical recovery of the system, with plans in place to begin restoring some functionality in its IT system in the weeks to come.

“Full technical restoration will take some time, and the need to re-book tests and appointments will mean some disruption from the cyber incident will be felt over coming months,” NHS England added.

According to the BBC, Qilin shared almost 400GB of data – including patient names, dates of birth, NHS numbers and descriptions of blood tests – on their darknet site and Telegram channel.

Spreadsheets containing financial arrangements between hospitals and GP services and Synnovis were also published, the BBC reported.

Synnovis, in a statement on Friday, said: “We know how worrying this development may be for many people. We are taking it very seriously and an analysis of this data is already under way.”

Between June 10-16, the second week after the attack, more than 320 planned operations and 1,294 outpatient appointments were postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust.

The number of rearranged planned operations had gone down by 494 since the first week after the attack, June 3-9, but the number of missed outpatient appointments had increased by 394.

The total so far was 1,134 planned operations and 2,194 outpatient appointments postponed, according to NHS England London figures.

Urgent and emergency services have remained available as usual.

Meanwhile, an NCA spokesperson said: “The National Crime Agency is leading the criminal investigation into a recent cyber incident affecting hospitals.

“We are aware data has been published and we are working closely with partners from the National Cyber Security Centre, NHS England and others to understand its impact and provide support.

“As our investigation is in its early stages, we are unable to comment further at this time.”