Synnovis Ransomware Attack and Data Breach Notification to UK Healthcare Providers
Synnovis, a British pathology laboratory services firm, has begun notifying UK healthcare providers that patient data may have been compromised in a ransomware attack that occurred in June 2024. The attack disrupted laboratory services and caused blood shortages, significantly impacting patient care for several months. Following a complex forensic investigation, Synnovis determined that cybercriminals stole data in a hasty and disorganized manner from a working drive, resulting in fragmented and unstructured data exfiltration.
The company stated that none of the stolen data originated from its primary laboratory database. Under UK data protection law, Synnovis is responsible for informing healthcare providers, who must then notify affected patients if necessary. The notification process follows more than a year of investigation to identify the scope and nature of the compromised data. Synnovis emphasized the challenges in analyzing the stolen data due to its random and untargeted extraction during the cyberattack.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
SLaM reports major pathology disruption still ongoing into January 2026
South London and Maudsley NHS Foundation Trust said the June 2024 Synnovis ransomware attack was still disrupting pathology services into January 2026. The trust remained in business continuity mode using manual processes, with 161,560 pathology reports still not entered into patient records and pathology reports unavailable in the London Care Record.
Synnovis says provider notification process will conclude by Nov. 21
Reporting on November 13, 2025 said Synnovis expected its notification process to affected healthcare providers to finish by November 21. The notices concerned exfiltrated data including names, dates of birth, NHS numbers, and in some cases medical test information.
Synnovis completes forensic probe into the 2024 ransomware attack
By mid-November 2025, Synnovis said it had completed its forensic investigation into the June 2024 Qilin attack. The company said it still had not determined the attackers' initial access vector, although compromised infrastructure had been replaced.
Attack is linked publicly to a patient death
By November 2025, reporting on the Synnovis incident noted that the ransomware attack had been linked to a patient fatality. This marked the incident as one of the most serious and disruptive cyberattacks affecting recent NHS operations.
Synnovis begins notifying NHS organizations of affected patient data
In November 2025, Synnovis started informing NHS providers and partner organizations about which patients' data had been stolen in the 2024 breach. Under UK data protection rules, the affected healthcare organizations, rather than Synnovis, are responsible for notifying individual patients.
Forensic investigation finds stolen data was fragmented and hard to analyze
Over the following year, Synnovis conducted a lengthy forensic investigation into the breach. The review was prolonged because the stolen data was unstructured and fragmented, requiring specialized analysis to determine what had been taken and who was affected.
Qilin leaks stolen Synnovis data online
After ransom payment was refused, the Qilin gang dumped exfiltrated Synnovis data online. The leaked information included patient-related data such as personal identifiers and, in some cases, test results.
Synnovis and NHS partners refuse to pay the ransom
Following the June 2024 attack, Synnovis and its NHS partners decided not to pay the attackers' ransom demand. The decision was later followed by the threat actors publishing stolen data online as part of a double-extortion tactic.
Qilin ransomware attack hits Synnovis and disrupts London NHS services
In June 2024, pathology provider Synnovis was hit by a ransomware attack attributed to the Qilin gang. The incident severely disrupted pathology services for NHS hospitals in London, causing cancellations and postponements of operations and appointments and contributing to blood shortages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Qilin's 2024 attack on NHS vendor continues to impact patient care for one NHS Trust - DataBreaches.Net
databreaches.net
Open sourceNHS supplier ends probe into ransomware attack that contributed to patient death
go.theregister.com
Open sourceData breach notices for Qilin hack provided by Synnovis
scworld.com
Open sourceNHS patients to finally be informed if hackers published their STI and cancer test data
therecord.media
Open sourceSynnovis notifies of data breach after 2024 ransomware attack
bleepingcomputer.com
Open sourceSynnovis Notifying UK Providers of Data Theft in 2024 Attack
govinfosecurity.com
Open sourceSynnovis Notifying UK Providers of Data Theft in 2024 Attack
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Synnovis Ransomware Breach Exposed Data of 32,927 Bedfordshire NHS Patients
Bedfordshire Hospitals NHS Foundation Trust said data relating to **32,927 patients** was identified in material stolen during the **Synnovis ransomware attack**, confirming that the incident extended beyond service disruption into a significant patient data breach. The compromised information was linked to pathology-related files dating from **2011 to 2020** and may include personal details and diagnostic test results. The trust issued a public notification tied to the Synnovis cyber incident and began informing affected individuals after determining that their records were present in data later published on dark web sites. The organizations involved said notification was delayed because the stolen material was fragmented across unstructured administrative pathology files, requiring lengthy forensic analysis to attribute ownership and assess impact. Security experts said the case highlights the long-tail risk of third-party attacks in NHS supply chains, warning that even partial or disjointed healthcare records can be combined by threat actors for phishing, fraud, and other identity-related abuse.
Jun 15, 2026
NHS patient data breaches expose records and deepen harm to attack victims
Nottingham University Hospitals NHS Trust apologized after a public inquiry found survivors of the 2023 Nottingham attacks were not properly included when the trust investigated unauthorized access to their medical records. The inquiry said staff inappropriately viewed victims’ records without authorization, and a 2025 internal investigation uncovered broader misuse of sensitive patient information. The trust said its response initially focused too narrowly on bereaved families, while disciplinary action resulted in 11 employees being dismissed and several others receiving written warnings for serious data protection violations. Separately, the fallout from the 2024 Synnovis ransomware attack linked to the **Qilin** gang continues to widen across the NHS, with Mid and South Essex NHS Foundation Trust confirming about **2,380** specialist diagnostic testing records were affected after Bedfordshire Hospitals NHS Foundation Trust disclosed nearly **33,000** impacted records. The attack disrupted pathology services across south east London, causing canceled appointments, delayed operations, and blood testing and transfusion problems, while stolen patient data was later published online after extortion failed. NHS organizations are still identifying affected patients, and King’s College Hospital NHS Foundation Trust has said service delays caused by the outage contributed to a patient’s death.
Jun 9, 2026
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Apr 17, 2026