NHS pathology provider Synnovis has finally begun notifying healthcare organizations about a data breach that exposed sensitive patient information, including sexually transmitted infection and cancer test results, 18 months after a Qilin ransomware attack crippled London hospitals in June 2024.
What happened
On June 3, 2024, Synnovis, a pathology partnership between Guy's and St Thomas' NHS Foundation Trust, King's College Hospital NHS Foundation Trust, and international diagnostics provider SYNLAB, suffered a ransomware attack that impacted nearly all of its IT systems. The attack, attributed to the Qilin ransomware gang, severely disrupted pathology services across London and forced the cancellation of more than 10,000 acute outpatient appointments and over 1,700 elective operations.
The incident created critical blood supply shortages as hospitals could not process urgent blood tests, and King's College Hospital NHS Trust confirmed in June 2025 that the disruption contributed to at least one patient death, marking one of the rare documented cases where ransomware has been directly linked to a fatality.
On June 20, 2024, Qilin published approximately 400GB of stolen data on its dark web leak site after Synnovis refused ransom demands. Security firm CaseMatrix analyzed the published material and estimated that data relating to more than 900,000 NHS patients was exposed, though Synnovis has neither confirmed nor disputed that figure.
The compromised information includes patient names, NHS identification numbers, dates of birth, and in some cases, detailed test results that could be matched to specific individuals. The most sensitive information identified by analysts includes pathology and histology forms describing symptoms of intimate medical conditions, including sexually transmitted infections and cancer diagnoses.
On November 10, 2025, more than 17 months after the initial attack, Synnovis announced it had completed its forensic investigation and begun notifying affected NHS organizations. Under UK data protection law, Synnovis acts as a data processor while the individual NHS hospitals and clinics function as data controllers, meaning the healthcare providers themselves must determine whether patient notification is necessary and carry out those notifications directly.
Why it matters
Synnovis attributed the prolonged investigation timeline to "exceptional scale and complexity," explaining that "the compromised data was unstructured, incomplete and fragmented, and often very difficult to understand." The company stated that forensic experts "had to use highly specialized platforms and bespoke processes to piece it together" after attackers stole data "in haste and in a random manner from Synnovis' working drives."
However, cybersecurity experts have sharply criticized the delay. "The human impact, including a patient death and severe service interruptions, far surpasses the complexities of the forensic investigation," said Damon Small, a board member at security firm Xcape. "When a vendor fails, the clock on patient safety and privacy must start immediately, not 17 months later."
Denis Calderone, COO at security company Suzu, argued that data management failures, not investigation complexity, drove the delay, "Unstructured and fragmented data isn't a valid excuse; it's evidence of inadequate data management. If you can't quickly identify compromised information, you've fundamentally failed basic data governance."
The breach also illustrates vulnerabilities in healthcare supply chain relationships. Synnovis functions similarly to a HIPAA business associate in the US context, a third-party service provider that processes protected health information on behalf of covered entities. When business associates suffer breaches, the regulatory and notification obligations flow back to the covered entities, but patients remain vulnerable throughout the investigation period.
The big picture
The Qilin ransomware operation has established itself as a significant threat to healthcare organizations globally. Operating as a Ransomware-as-a-Service platform, Qilin has claimed responsibility for more than 300 victims since emerging in August 2022. The group employs double-extortion tactics, stealing data before encrypting systems, then threatening to publish stolen information if ransom demands are not met.
Synnovis's forensic investigation revealed that attackers did not breach the company's primary laboratory database. Instead, they grabbed whatever files they could access during the intrusion from working drives. This opportunistic approach resulted in the "unstructured, incomplete and fragmented" dataset that Synnovis says required specialized reconstruction efforts.
The company emphasized that stolen data "has never been available in a form that could easily be used by anyone with ill intent," though cybersecurity experts note that even partial medical information becomes valuable when combined with data from other breaches. Foreign intelligence services and sophisticated criminal operations routinely aggregate information from multiple sources to build comprehensive profiles for espionage, fraud, or targeted attacks.
Synnovis secured a legal injunction prohibiting further publication or use of the stolen data, though such orders provide limited practical protection once information circulates in criminal forums. The company stated there is "no evidence that Qilin's interest in its business, or the stolen data, was ongoing" and claimed no evidence suggests the compromised data has been misused against individuals, though proving a negative remains difficult when stolen data trades hands in underground markets.
FAQs
What is the difference between a data processor and a data controller?
Under UK data protection law (and similarly under GDPR), a data controller determines the purposes and means of processing personal data, while a data processor handles data on the controller's behalf. In the Synnovis case, NHS hospitals and clinics are data controllers because they decide how patient data is used for healthcare delivery, while Synnovis is a data processor that runs laboratory tests according to the hospitals' instructions. This distinction matters for breach notification because controllers, not processors, must decide whether to notify affected individuals.
What does Ransomware-as-a-Service mean?
Ransomware-as-a-Service (RaaS) is a business model where ransomware developers create the malicious software and provide it to affiliates who conduct the actual attacks, with profits split between developers and affiliates. This model, used by groups like Qilin, lowers barriers to entry for cybercriminals who lack the technical skills to develop ransomware themselves. RaaS operations often include customer support, negotiation services, and payment infrastructure, functioning like legitimate software companies but for criminal purposes.
What is double-extortion ransomware?
Double-extortion ransomware involves two threats: attackers encrypt victims' systems (preventing access to data) and separately threaten to publish stolen data online if ransom demands aren't met.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
