Synnovis, a prominent pathology services provider in the UK, has officially acknowledged a data breach that followed a significant ransomware attack in June 2024. This incident has raised concerns among healthcare providers regarding the safety of patient information, as sensitive data has reportedly been stolen.
Founded in 2021, Synnovis operates as a collaborative entity between global medical diagnostics provider SYNLAB, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust. The company delivers essential pathology services to various healthcare organizations, prominently servicing the National Health Service (NHS).
In its recent communication, Synnovis has begun notifying the relevant healthcare organizations affected by the breach, specifically NHS hospitals and clinics, although it will not be contacting patients directly. As stipulated by UK data protection laws, patient notifications are the responsibility of the specific NHS organisations involved.
"We have now begun notifying the organisations whose data was affected and expect to conclude this process by 21 November 2025. This marks the latest stage of investigation that has taken a large team of forensic experts and data specialists over a year to complete," said a spokesperson from Synnovis. The prolonged investigation underscores the complexity of the situation, given the fragmented nature of the stolen data.
By the Numbers
By the Numbers
By the Numbers
The compromised data encompasses various personal details, including patients' NHS numbers, names, dates of birth, and, in certain instances, specific test results. However, Synnovis has pointed out that much of the stolen information remains "unstructured, incomplete and fragmented," which means that specialized knowledge may be necessary to fully interpret or utilize the data.
"unstructured, incomplete and fragmented,"
Impact and Legacy
Impact and Legacy
The ransomware attack, which occurred on June 3, 2024, notably disrupted operations at multiple NHS facilities in London, including major hospitals such as King's College, Guy's, St Thomas', Royal Brompton, and Evelina London. The repercussions of this attack were extensive, impacting non-emergency pathology services, blood transfusions, and leading to the cancellation or postponement of over "800 planned operations and 700 outpatient appointments" due to blood shortages.
"800 planned operations and 700 outpatient appointments"
In the wake of the initial attack, the Qilin ransomware gang claimed responsibility for data leakage on June 20, 2024. This breach prompted Synnovis to notify the Information Commissioner's Office and seek a legal injunction to prevent the misuse of their data. Ciaran Martin, the founding CEO of the National Cyber Security Centre (NCSC), has linked the breach to the Qilin ransomware operation.
Looking Ahead
"We are in the process of notifying organisations about their stolen data so that they can conduct any appropriate analysis of its impact on their patients," said the Synnovis spokesperson. They also emphasized the importance of ethical standards in their response, stating, "we did not pay a ransom following the incident, reflective of our commitment to ethical principles and the rejection of funding future cybercriminal activities that threaten critical infrastructure, patient privacy, and national security."
"We are in the process of notifying organisations about their stolen data so that they can conduct any appropriate analysis of its impact on their patients,"
Synnovis's associate, Qilin, emerged as a Ransomware-as-a-Service (RaaS) operation in August 2022 under the name “Agenda” and has since boasted over 300 victims, including significant corporations like Yangfeng and Lee Enterprises. This reaffirmation of the threat posed by ransomware stresses the urgency of resilient cybersecurity measures.
As the investigation continues and notifications are finalized, the evolving landscape of cybersecurity remains a critical area of focus for healthcare providers. With the intricate nature of data breaches and the establishment of more sophisticated attack vectors, companies like Synnovis reinforce the need for heightened vigilance and robust defenses in the protection of sensitive patient information.