Major cyberattack sees NHS London hospitals declare critical incident with operations cancelled

Guy’s and St Thomas’ NHS Foundation Trust is one of two London trusts affected by the cyberattack (PA Archive)
Guy’s and St Thomas’ NHS Foundation Trust is one of two London trusts affected by the cyberattack (PA Archive)

Two London hospital trusts have been forced to cancel all non-emergency operations and blood tests following a “major” cyberattack.

Pathology systems at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust, as well as GP services across South London, have been hit by a ransomware attack, according to emails seen by The Independent.

Synnovis, the company that supplies blood tests, swabs, bowel tests and other services for hospitals serving NHS patients across six London boroughs, warned the two NHS trusts on Monday that it had been hit by a major malware attack, the consequences of which have affected tens of thousands of patients, according to sources close to the hospitals.

The supplier covers Guy’s Hospital, which runs the Evelina London Children’s Hospital, as well as Harefield Hospital, King’s College Hospital, Princess Royal University Hospital, Royal Brompton Hospital and St Thomas’ Hospital.

In a second email on Tuesday, seen by The Independent, it confirmed it had been hit by a ransomware attack.

GPs have been told to cancel all non-emergency pathology appointments, while hospital staff have been told to request emergency blood samples only from patients who require transfusions.

The National Cyber Security Centre is now involved, while NHS England has declared a level three incident – the second-highest alert level.

In a message to staff on Monday, Guy’s and St Thomas’ said: “Synnovis, the pathology provider for both King’s and Guy’s and St Thomas’, informed us of a major incident with ICT systems.”

A senior NHS source told The Independent that transplants have been affected as patients’ blood tests cannot be cross-checked, and that healthcare leaders in London have been warned that the incident could take “weeks or months” to resolve.

In a separate message, Synnovis said there would be delays for patients receiving results, and GPs have been asked to cancel all non-urgent blood test appointments.

“Given the nature and magnitude of this attack, this is an evolving situation,” it said.

The emails say it is unclear how long the issue will last.

In the second email, Synnovis told staff: “This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions affect.

“This incident is being reported to law enforcement and the Information Commissioner, and we are working with the National Cyber Security Centre and the Cyber Operations team.”

The National Cyber Security Centre and the National Crime Agency have been contacted for comment.

A government spokesperson said: “The Department of Health and Social Care, NHS England and the National Cyber Security Centre are working together to investigate a cyber incident affecting a number of NHS organisations in southeast London.

“Patient safety is our priority and support is being offered to the impacted organisations.”

A spokesperson for NHS England’s London region said: “On Monday 3 June, Synnovis, a provider of lab services, was the victim of a ransomware cyberattack.

“This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trust, and primary care services in southeast London, and we apologise for the inconvenience this is causing to patients and their families.

“We are working urgently to fully understand the impact of the incident with the support of the government’s National Cyber Security Centre and our Cyber Operations team.”

The spokesperson said that emergency care continues to be available, so patients should access services in the normal way.

This story was updated with a response from NHS England and the government, and at 16.14 following new information received by The Independent regarding the nature of the cyberattack