Operations at seven UK hospitals have been delayed after a ransomware attack on pathology lab services provider Synnovis.

The attack by the Russian Qilin group took place on June 2, knocking out server systems at the UK operations of SYNLAB, which forms part of the Synnovis partnership with the Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trusts. Synnovis went live with a Laboratory Information Management System (LIMS) in October 2023 that combined multiple separate IT systems at the trusts into a single logical system.

A new LIMS powered by Epic software went live across the two hospital trusts that month. It locked the trusts into a single system dependent upon SYNLAB operations for pathology test results. When the server system of Synnovis, the NHS-SYNLAB partnership, went down, the trusts’ patient treatment operations were devastated.

Guy’s and St Thomas’ CEO Ian Abbs sent out a mail on June 3, saying: “I can confirm that our pathology partner Synnovis experienced a major IT incident earlier today, which is ongoing and means that we are not currently connected to the Synnovis IT servers. This is having a major impact on the delivery of our services, with blood transfusions being particularly affected. Some activity has already been cancelled or redirected to other providers at short notice as we prioritise the clinical work that we are able to carry out.”

As for SYNLAB, it described the attack as “an isolated incident to Synnovis with no connection to the cyber-attack on SYNLAB Italy on 18 April 2024.” It added: “The rest of the SYNLAB Group including the other SYNLAB facilities in the UK are not impacted.”

SYNLAB is an international medical diagnostics provider headquartered in Munich, Germany. It is the leading provider of diagnostic services and specialty testing in Europe. It employs around 27,000 people across its operations. SYNLAB is publicly listed on the Frankfurt Stock Exchange and had revenues of €3.25 billion in 2022. Major shareholders include private equity firms Cinven and Novo Holdings among others.

In its 2020 ESG Report, SYNLAB said: “We take our responsibility towards storing and processing data on our IT systems very seriously. Potential data breaches or system failures can have real life impacts for the patients who rely on our diagnosis. We are introducing policies to ensure that the data is encrypted and secure, and we work closely with a network of external partners to neutralise any potential cybersecurity risks.”

It established a Chief Information Security Officer (CISO) position that “focuses on identifying cybersecurity and IT compliance risks as they may impact our strategic, operational, and financial performance.” Valerio Sorrentino is SYNLAB’s Group ISO and has posted about the dangers of phishing attacks on LinkedIn. He says he was “recognized by Lacework as one of the 50 CISOs in the world to watch in 2024.”

Sorrentino knows about the targeting of healthcare providers by malware attackers, posting on LinkedIn eight months ago: ”l want to inform you that the North Korean state-sponsored actor, called the Lazarus Group, is targeting healthcare entities in Europe and the United States as reported by Cisco Talos.”

IT Services supplier CSI previously supplied a Security Operations Centre to SYNLAB in the UK and has published a case study about this contract, saying readers can “learn how SYNLAB, one of Europe’s largest medical testing companies, stays one step ahead of cyberattacks including WannaCry and Petya.”

CSI’s case study says: “CSI’s Security Operations Centre (SOC) deployed AI-driven threat protection to neutralise advanced threats and continuously protect the endpoints without disrupting users. Now its SOC experts can react immediately to alerts and work with Synlab to resolve cyber security-related incidents.”

CSI has not responded to an inquiry about its current involvement with SYNLAB and whether it was part of efforts to fend off the Synnovis attack.

SYNLAB ops fell prey to two previous attacks, one of which being the unconnected attack on its Italy offshoot described earlier. A SYNLAB operation in France was attacked by Clop group ransomware in June 2023. Then, in April 2024, SC Media reported that SYNLAB Italia had been hit by a cyberattack that disrupted its laboratories, medical centers, and sampling points, compromising 1.5 TB of data, including personal and medical details of patients and employees. The Black Basta ransomware group infiltrated its networked system, causing the shutdown of IT systems in 380 labs and medical centers in Italy. SYNLAB has emphasized that the Synnovis attack is not related.

SYNLAB Italia reportedly did not pay the demanded ransom and took almost a month to get its systems back online.

After the latest attack took place, SYNLAB UK CEO Mark Dollar put out a statement saying: “We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be.”

Neither Dollar nor his Data Protection Officer, David Akinpitansoye, have responded to our inquiries about the incident, which is ongoing with weeks of disruption likely.