Synnovis Notifies Of Data Breach After 2024 Ransomware Attack

Synnovis, a leading UK pathology services provider, is notifying healthcare providers that a data breach occurred following a ransomware attack in June 2024, which resulted in the theft of some patients' data.

Founded in 2021, Synnovis is a partnership between international medical diagnostics provider SYNLAB, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust. It provides pathology services to UK healthcare organisations, including the National Health Service (NHS).

Synnovis is now reaching out to affected organizations, including NHS hospitals and clinics, but will not contact patients directly. Patient notifications will be handled by the impacted NHS organizations, as required by UK data protection law.

"We have now begun notifying the organisations whose data was affected and expect to conclude this process by 21 November 2025. This marks the latest stage of investigation that has taken a large team of forensic experts and data specialists over a year to complete," Synnovis said in a Monday press release.

"The stolen data was unstructured, incomplete and fragmented, requiring the use of highly specialised platforms and bespoke processes to piece it together – factors which heavily influenced the duration of the investigation."

The stolen data includes personal information, such as the affected patients' NHS numbers, names, dates of birth, and, in some cases, test results that could be matched to an individual. However, Synnovis says the majority of the stolen information requires "clinical knowledge or further enrichment to interpret."

On June 3, 2024, Synnovis was hit by a ransomware attack with "major impact" on procedures and operations at multiple major NHS hospitals in London, including King's College Hospital, Guy's Hospital, St Thomas' Hospital, Royal Brompton Hospital, and Evelina London Children's Hospital.

Non-emergency pathology appointments and blood transfusions at the impacted London hospitals have been either canceled, postponed, or redirected to other providers. The incident also led to blood shortages in London and forced affected hospitals to cancel over "800 planned operations and 700 outpatient appointments."

On June 20, 2024, the attackers released data allegedly stolen from Synnovis' system, prompting the company to notify the Information Commissioner's Office and secure a legal injunction against further use.

While Synnovis has yet to name the threat group behind last year's rans

Source: BleepingComputer