What happened
Nearly two years after the June 2024 ransomware attack on pathology services provider Synnovis, internal documents and freedom of information responses reveal that at least one NHS trust in South East London is still operating without fully restored systems. South London and Maudsley NHS Foundation Trust has not had its pathology systems restored as of publication and continues to rely on paper processes and manual uploads rather than electronic requesting and reporting. The trust estimates that entry of 161,560 pathology reports into patient records had been delayed as of early January 2026, and clinicians were warned not to rely on timely return of blood results. Critical results are being communicated by phone, while full reports are delivered as paper or PDFs and manually entered into records. The trust recorded 122 patient safety incidents involving incorrect, unavailable, or delayed pathology results as of January 2026, and noted that risks include transcription errors and patient misidentification. The most serious reported outcome came from King’s College Hospital, which recorded a patient death in which the cyberattack was considered a contributing factor, with a delayed blood test result among the contributing circumstances. The original attack was carried out by the Qilin ransomware group and also involved the theft and publication of sensitive data relating to nearly one million NHS patients, including individuals with conditions such as cancer and sexually transmitted infections.
Who is affected
NHS trusts and integrated care providers across South East London remain affected to varying degrees, with South London and Maudsley NHS Foundation Trust still in business continuity mode. Patients dependent on pathology and blood testing services at affected trusts face ongoing delays, and no pathology reports for SLaM patients have been available in the London Care Record since the attack. Earlier disruption across the region resulted in more than 10,000 postponed outpatient appointments and over 1,700 delayed elective procedures.
Why CISOs should care
This case is a documented example of a ransomware attack producing patient harm and operational failure that persisted for nearly two years. For CISOs in healthcare and other sectors operating complex, integrated systems, it illustrates how supply-chain dependencies, in this case a third-party pathology provider, can create recovery timelines far longer than initial incident response plans anticipate. The ongoing investigation by the Health Services Safety Investigations Body into healthcare readiness for electronic system loss adds a regulatory dimension that security leaders should track.
3 practical actions
- Stress-test third-party recovery dependencies: Identify which critical services rely on external providers and assess how long your organization could sustain manual workarounds if a supplier’s systems were unavailable for months, not days.
- Review pathology and clinical data continuity plans: For healthcare organizations, confirm that contingency procedures for delayed or missing test results include escalation paths, clinician alerts, and mechanisms to prevent results from being missed entirely.
- Account for cascading data backlogs in recovery planning: Build recovery plans that address not just system restoration but the operational burden of re-entering, reconciling, and auditing records accumulated during extended downtime periods.
For more news about ransomware incidents affecting business continuity, click Ransomware to read more.