Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
The cost of a ransomware attack against lab services provider Synnovis last year, which caused havoc across London hospitals, was more than seven times the company’s most recently disclosed annual profit.
The cyber attack in June 2024 resulted in estimated costs of £32.7mn, far outstripping Synnovis’ profits of £4.3mn for 2023, according to previously unreported accounts filed at Companies House.
The attack last summer led to one of the largest recent NHS patient data breaches, as well as cancellations or delays to thousands of operations and appointments at several NHS hospitals and GP surgeries in London.
Qilin, a Russian-speaking cyber-attack group, claimed responsibility for the breach and released 400GB of information it said it had stolen from Synnovis. A law enforcement investigation into the cyber attack is ongoing.
The breach forced Synnovis staff to deliver blood test results via “paper and manual, rather than electronic, protocols”, the accounts said.
Chair David Bennett wrote in the filing that the process of securing its data and rebuilding its systems after the attack was “slow and painstaking”.
In a statement to the Financial Times, Synnovis said it recently had completed the “first phase” of the restoration plan and brought back online all services that had been available prior to the cyber attack.
Synnovis is a public-private partnership between Synlab, Europe’s largest medical testing and diagnostic provider, and the Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trusts. Revenues were £209mn in 2023.
The company said in the filing that the attack had impacted its profits for 2024 and 2025 but that it expected a “return to profitability” owing to the “long-term” outsourcing contract it has with the trusts.
Synnovis drew down £40mn in loans from Synlab in 2024 for “capital transformation plans and support post cyber attack”, according to the accounts filed on January 7.
“There was an ongoing funding commitment that predates the cyber attack and was used to support the restoration and rebuilding of services and systems. The 2024 accounts filing will cover detail of the 2024 financial results,” Synnovis said.
The company added: “In the months following the cyber attack, every available resource was dedicated to restoring services and rebuilding systems.
“The patience and understanding of patients, service users, frontline NHS colleagues and our own employees over these past months is truly appreciated, and we are incredibly sorry for the inconvenience and upset caused by this criminal attack.”
In its annual results Synnovis also noted the possibility of fines or penalties as part of an ongoing investigation into the data breach conducted by the Information Commissioner’s Office.
The UK has been the subject of a rising number of cyber attacks on infrastructure and businesses in recent years. The National Cyber Security Centre recorded that attacks labelled as “severe” tripled in 2024.
Read the full article here