Synnovis attack led to at least five cases of ‘moderate’ patient harm

The cyber attack on NHS pathology provider Synnovis caused at least 119 incidents of patient harm, including at least five cases of “moderate” harm, according to figures provided by South East London Integrated Care Board (ICB).

Healthcare services in London were disrupted by the attack in June 2024, with an NHS London update on 4 October showing that 10,152 acute outpatient appointments and 1,710 elective procedures were postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS FT.

South East London ICB told Digital Health News that of 498 patient safety incidents linked to the attack, 114 were deemed to have caused “low harm” and five at Guy’s and St Thomas’ caused “moderate” harm.

There are also 91 related patient safety incidents being reviewed – 67 at King’s College Hospital and 24 at South London and Maudsley NHS Foundation Trust.

Helen Hughes, chief executive of Patient Safety Learning, told Digital Health News: “In addition to these recorded cases of harm, this incident may have resulted in further patient harm that is more difficult to capture.

“Disruption caused by cyber attacks often results in significant delays to care and treatment, with longer waits having a particularly serious impact on patients with chronic conditions and worsening health.

“The impact of these delays will only be seen over time.”

NHS policy on patient safety events and levels of harm defines moderate harm as where a patient “did not need immediate life-saving intervention” but needed or will likely require follow-up care.

It is also deemed moderate harm if a patient’s independence is limited for less than six months or has affected the success of treatment “but without meeting the criteria for reduced life expectancy or accelerated disability”.

An incident is defined as low harm when a patient requires extra observation or minor treatment but does not need further healthcare beyond a single GP, community healthcare professional, emergency department or clinic visit or require further treatment beyond dressing changes or short courses of oral medication.

A low harm incident must not have affected a patient’s independence or the success of treatment for existing health conditions.

Figures from South East London ICB show that there were 155 cases of no harm at Guy’s and St Thomas’, 51 low harm and five moderate.

At King’s College Hospital, there were 109 cases of no harm and 61 low harm.

Lewisham and Greenwich NHS Trust reported four cases of no harm and two low harm, and Oxleas NHS Foundation Trust had eight incidents of no harm.

In primary care, 29 reported incidents were recorded as low or no harm in a single grouping.

South East London ICB said that data on patient harm is collected on a quarterly basis, with the next batch of figures expected in early 2025.

A spokesperson for Synnovis told Digital Health News: “We do continuously invest in the security of our IT estate and processes as well as the awareness of employees to protect our infrastructure and data.”

Guy’s and St Thomas’ NHS FT, King’s College Hospital NHS FT and NHS London declined comment.