Synnovis, a year on — Peter Bassill

One year after the Qilin ransomware attack on Synnovis took NHS pathology services in south-east London offline, what did we actually learn — and what is still unfixed?

A year ago this month, a ransomware attack on Synnovis — the pathology partnership between Synlab, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust — took blood-testing services in south-east London offline. The attack was attributed to the Qilin group. The operational consequences ran for months: blood transfusion supplies were redirected, surgeries were postponed, GP referrals slowed. The number of postponed appointments and procedures eventually ran into six figures.

It is worth, twelve months on, asking what we actually learnt and what is still unfixed. Not what the press releases said. What the lived experience of the year actually showed.

What the attack was, in plain terms

A criminal group encrypted the systems of a third-party pathology supplier that processed blood samples for two of the largest NHS trusts in London. The encryption was preceded by data exfiltration — patient names, NHS numbers, test types — which the group later published when ransom was not paid. The operational impact was felt by hospitals that depended on the supplier for routine and emergency testing.

This is the textbook structure of a modern ransomware case. The interesting part is not the technical mechanism. The interesting part is the shape of the dependency.

The dependency that did the damage

Pathology services in the NHS are, for the most part, no longer run inside the hospitals themselves. They are run under partnership arrangements with private-sector providers, of which Synnovis is one of the larger. The partnership model has cost and capability advantages. It also creates a single point of failure for the trusts that depend on it.

Synnovis was not a tier-three SaaS vendor a procurement team could not name. It was a contracted partner whose criticality to clinical operations was well understood. The point is not that the trusts were unaware of the dependency. The point is that understanding a dependency is not the same as having a contingency for it failing for two months.

That is the lesson the case offers, and it is a structural one rather than a technical one.

The Synnovis pattern is not new in international cyber. Colonial Pipeline in 2021 is the canonical American example: a fuel pipeline shut down precautionarily not because the operational systems were compromised but because the corporate IT that operates and bills for them was. The structural lesson Synnovis confirmed had already been written down once before, and the British state-owned and private-CNI operators that read it carefully four years ago have done better since than those that did not.

What changed afterwards, and what did not

In the months following the attack, NHS England published a lessons-learned summary. The trusts published their own board-level reports. The pathology partnership took remediation steps. The criminal group moved on to other targets.

Three things changed materially.

One: NHS procurement language got a little tighter. Subsequent pathology partnership contracts have made cyber incident reporting, recovery time objectives, and right-to-audit provisions more specific. They have not made them as specific as I would like. They are at least no longer the boilerplate they were in 2022.

Two: the trusts have invested in alternative-supplier readiness. Several of the affected trusts have spent the year working through what they would do if a key supplier went dark again — which other lab they would route blood work to, what the throughput limits of those alternatives are, what the regulatory implications of running on a backup supplier would be. This is unglamorous work. It is the right work.

Three: the Department of Health and Social Care put more weight on cyber resilience in its commissioning guidance. That is real, and it is good. It is also slow. Commissioning guidance does not translate into clinical resilience in twelve months.

Three things have not materially changed.

One: the underlying pattern of NHS dependency on small numbers of large private suppliers for clinical-critical services. That pattern is structural. It has economic logic. It is not going to be rewritten because of a single incident, and any honest analysis has to accept that.

Two: the offline-fallback capability of the affected services. Most hospital pathology is now so digital — sample tracking, automated analysers, electronic results into the patient record — that a true offline mode is not, in practice, an option. The fallback during the Synnovis incident was a mixture of paper, courier services to alternative labs, and clinical triage. It worked, in the sense that no one is reported to have died of it directly. It was not what anyone would describe as a planned business continuity scenario.

Three: the boardroom understanding, across the NHS, of what a 'critical supplier' actually means at clinical level. I have sat on enough committees this year to know that the phrase critical supplier still travels in trust board papers without anyone, in some cases, being able to define which suppliers actually meet the test.

What boards should take from this

Three things, in order.

Map the suppliers whose failure would cause direct harm to your service users within 72 hours, and name them. Not by category. By name. Our pathology partner is X. Our patient record is Y. Our medication management is Z. You have a small number of these. You should be able to read the list to your chair from memory.

For each of those suppliers, define and rehearse what 'no longer available for sixty days' looks like. Sixty days, not six. Sixty was Synnovis. If your contingency only covers six days, you do not have a contingency. You have an aspiration.

Insist that the suppliers' cyber incident notification clauses, recovery time objectives, and post-incident review obligations are written into the contract in terms a regulator will recognise. If the supplier cannot agree to those terms, the question is not can we negotiate better terms — it is should we be depending on this supplier for this work.

The thing the case is really about

The Synnovis case is not really about ransomware. It is about what happens when the operational dependency of a public service has been quietly delegated to a private partner, without the public service retaining the muscle memory to operate without it. The cyber attack was the trigger. The exposure was already there.

The trusts that were affected have done difficult and serious work in the year since. They have, in places, been treated unfairly in public commentary that did not understand the structural picture. But the picture remains: it could happen again, in a different sector, with a different supplier, tomorrow, and the structural answer is the same answer.

The question for any board reading this is: which of our critical clinical, operational, or financial functions are now structurally dependent on a third party whose failure we have not properly modelled?

If you cannot answer that question in under five minutes, the work is already overdue.