London Pathology Firm Synnovis Begins Notifying Partners Following 2024 Data Breach

Synnovis, a pathology services provider based in London, has started informing healthcare providers about a data security incident from last June that exposed certain patients’ sensitive personal data.

On June 3, 2024, Synnovis was hit by a major ransomware attack attributed to the Qilin ransomware group, which impacted its internal network. The incident caused substantial disruptions across several NHS hospitals in London—including Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust—as well as other primary care services in southeast London.

The ransomware attack resulted in the theft and leak of about 394.1 GB of Synnovis’ confidential data, including sensitive patient details such as names, dates of birth, NHS numbers, and blood test information. The breach disrupted blood testing and diagnostics, strained national blood supplies, forced hospitals to rely on universal donor blood, and contributed to delays in critical treatments, including at least one patient death.

Despite the severity of the breach—which exposed sensitive medical information of more than 900,000 individuals, according to independent analysis—Synnovis did not directly notify affected patients for many months. The company stated that its internal investigation is well advanced but still ongoing, and that it is preparing to notify patients and partner organisations appropriately.

In a recent update, Synnovis announced that it has completed its investigation and has begun notifying affected organisations, a process it expects to finish by November 21.

“This marks the latest stage of investigation that has taken a large team of forensic experts and data specialists over a year to complete. The stolen data was unstructured, incomplete and fragmented, requiring the use of highly specialised platforms and bespoke processes to piece it together – factors which heavily influenced the duration of the investigation,” Synnovis said.

The company added that it did not pay a ransom, explaining that the decision, made jointly with its NHS Trust partners, “reflects our commitment to ethical principles and the rejection of funding future cybercriminal activities that threaten critical infrastructure, patient privacy, and national security.”