Patients Still Not Informed Months After Synnovis Data Breach

Nearly a year after a ransomware attack on UK-based pathology provider Synnovis, patients whose data was leaked have yet to be notified. The breach, linked to the Qilin cybercrime group, disrupted blood testing services across several NHS hospitals in London and exposed highly sensitive patient information.

While Synnovis has acknowledged that patient data was compromised, it has not confirmed how many individuals were affected or what specific data was leaked. An independent analysis by data breach experts CaseMatrix suggests over 900,000 people may have been impacted, with leaked files containing names, NHS numbers, birth dates, and, in some cases, detailed pathology forms revealing sensitive health issues, including STIs and cancer symptoms.

Synnovis says its internal investigation is “significantly advanced” but still ongoing. Affected NHS Trusts, including Guy’s and St Thomas’ and King’s College Hospital, said they are waiting on Synnovis to complete its review.

The Information Commissioner’s Office (ICO) mandates organisations to notify individuals when sensitive data is exposed, especially when medical confidentiality is at risk. Yet, Synnovis has not issued any direct alerts to patients almost a year after the breach.

The attack also strained national blood supplies, forcing hospitals to rely on universal donor types due to blood-matching limitations.

Synnovis says it is now close to concluding its review and finalising procedures to notify those affected. A spokesperson stated the company understands the urgency and will inform patients and organisations “as appropriate.”