The must-read stories and debate in health policy and leadership.

The legal, regulatory and financial effects of the cyber attack on a London pathology provider will be felt for years.

The two trusts most affected, Guy’s and Thomas’ and King’s College Hospital, touch so many other parts of the system that the consequences are still being reckoned with.

One of these is private income – both trusts do significant volumes of work funded through insurance companies, self-pay or wealthy foreign governments. These customers will be just as horrified as the trusts’ NHS patients over the potential loss of their private medical data, but unlike NHS patients will be able to vote with their wallets (yes, patient choice notionally exists in the NHS, but in practice it is nowhere near as heavily contested as private medical work). This work is roughly £60m in income to GSTT.

And that is before we get into questions like: “Could very wealthy patients who have flown in from Kuwait or Qatar and then had their data lost sue the pathology provider for exposing their medical data?”

Synnovis is 51 per cent owned by German firm Synlab, with the rest of the shares held by the two trusts, so even if KCH and GSTT don’t want to take any contractual action (for lost income or the huge costs involved in providing cover for the work Synnovis can’t do) private customers might.

Then there is the question of Synnovis/Synlab’s longer term future. The company is involved in delivering NHS services in Manchester and Essex: are these safe againt cyber attack?

Synnovis does an undisclosed amount of private work unrelated to the NHS: will other private providers sue, as well as the private customers of the NHS?

Who will bear the costs of rebuilding Synnovis’s whole IT system from the ground up: will it be split along the lines of ownership (51/49 per cent Synlab/NHS)? Potentially a lot of lawyering is on the cards before anything is settled.

Patient harm from delayed care is yet to be assessed but is also a given.

GSTT have admitted that their last great IT failure (when a heatwave took out their servers in 2022) saw a lack of candour on their part. The incident was stood down after two months.

Its review of this incident said GSTT “must never again allow itself to be in a situation where the recovery of its core IT systems, whether as a result of infrastructure failure, cyber-attack or another cause, takes so long to complete”. 

It will be interesting to see how open England’s most powerful provider organisation is this time.

Further research required

Government-controlled health research funding for the North of England has remained unchanged over the last decade, with London and the South East keeping their dominant share. This stagnation persists despite ministers’ “levelling up” promises and the National Institute of Health and Care Research’s aim to boost investment in under-served areas with poor health outcomes.

Data from HSJ shows the North has received about 23 per cent of NIHR funding over the past 10 years, despite accounting for 35 per cent of the population when adjusted for health needs. London, Oxford, and Cambridge regions have received 56 per cent of the national share, despite having only 36 per cent of the weighted population.

In 2022-23, NIHR funding totalled £1.3bn, crucial for a strong clinical research base that attracts larger private and third sector investments. The Northern Health Science Alliance notes some buildings in the South East, like Cambridge’s Sanger Institute, receive more annual funding than the entire North.

Also on hsj.co.uk

Labour’s manifesto priorities overlook emergency care, writes our Mythbuster Steve Black. Thank heaven, then, that Wes Streeting has committed to recovering A&E performance, he says. And in news we report that a trust’s drugs control department was found to have a “significant under-appreciation of safety” and “a culture of unwillingness”, after it lost track of at least two bags of fentanyl.