Synnovis, the joint venture pathology services partnership between two London NHS Trusts and Synlab, a provider of medical diagnostics technology, is notifying its NHS partners that their data was stolen in a Qilin ransomware attack on its systems, almost 18 months after the incident took place
The June 2024 cyber attack affected both Guy’s and St Thomas’ and King’s College hospitals in London, as well as other NHS services across the capital.
The incident saw thousands of outpatient appointments and elective procedures cancelled, caused a major shortage of much needed blood bank stocks, and has since been linked to at least one fatality. The ransomware gang subsequently released a 400GB trove of data online.
In a new update this week, Synnovis said its own investigation into the incident had now concluded.
“We are in the process of contacting each organisation whose data was compromised,” the organisation said.
“This will be completed by 21 November 2025. Each affected organisation will … decide if any patients need to be notified and how they will make those notifications…. Synnovis will not be contacting any impacted patients directly.”
This means that because Synnovis acts as a data processor and its NHS partners as data controllers, under UK law it is the affected NHS bodies that must notify patients, and it will ultimately be up to them to assess and decide whether or not notification is necessary.
Addressing the length of time that has elapsed since the incident, Synnovis said that the leaked data was “stolen in haste and in a random manner”
“This investigation has taken more than a year to complete because of its exceptional scale and complexity. Multiple specialised platforms and bespoke processes had to be developed to reconstruct the data,” said Synnovis.
The organisation added: “We have been in regular communication with the ICO [Information Commissioner’s Office] since the attack and worked closely with relevant law enforcement agencies including the NCA in the immediate aftermath of the incident.
“We regret the disruption, concern and upset to patients, our own employees, frontline NHS colleagues and other service users as a result of this criminal cyber attack. Every effort was made to support clinicians, GPs and patients and end the disruption caused as quickly as possible during this time.”
Following the attack, Synnovis applied for a legal injunction against the misuse or further dissemination n of the stolen data, meaning it cannot legally by published, although this does not mean it has not been abused.
In the meantime, patients of the affected NHS Trusts should maintain vigilance and be alert to unsolicited approaches, suspicious calls and emails, especially those that ask to provide personal or financial data.
Synnovis said patients could rest assured that there was no evidence that Qilin’s interest in its business, or the stolen data, was ongoing, and claimed that there has not been any evidence of the compromised data having been misused against any individuals.
No ransom
In its latest update, Synnovis also revealed that it had not paid a ransom to Qilin. It said: “This decision, made in collaboration with our NHS Trust partners, reflects our commitment to ethical principles and the rejection of funding future cyber criminal activities that threaten critical infrastructure, patient privacy, and national security.”
