Synnovis, a joint venture for pathology services between two London NHS Trusts and Synlab, a provider of medical diagnostic technology, is notifying its NHS partners that their data has been stolen as a result of Qilin ransomware attack on their systems almost 18 months after the incident occurred
The June 2024 cyberattack affected both Guy's and St. Thomas And King's College hospitals in London, as well as other NHS services across the capital.
I saw the incident thousands of outpatient appointments and elective procedures canceledcaused serious shortage of much-needed blood bank suppliesand has since been associated with at least one dead. Ransomware gang subsequently published a 400 GB treasure trove of data online..
In a new update this weekSynnovis said its own investigation into the incident has now been completed.
“We are now contacting every organization whose data was compromised,” the organization said.
“This will be completed by November 21, 2025. Each affected entity…will decide whether to notify any patients and how they will make those notifications…Synnovis will not contact affected patients directly.”
This means that, with Synnovis acting as a data processor and its NHS partners as data controllers, under UK law it is the relevant NHS authorities that must notify patients, and ultimately it will be they who will assess and decide whether notification is necessary or not.
Speaking about the time that has passed since the incident, Synnovis said that the leaked data was “stolen in a hurry and randomly.”
“This investigation took more than a year due to its exceptional scope and complexity. Several specialized platforms and specialized processes had to be developed to recover the data,” Sinnovis said.
The organization added: “We communicate regularly with the ICO. [Information Commissioner's Office] since the attack and worked closely with relevant law enforcement agencies, including the NCA, in the immediate aftermath of the incident.
“We regret the disruption, worry and upset experienced by patients, our own staff, NHS colleagues and other service users as a result of this criminal cyber-attack. Every effort has been made to support doctors, GPs and patients and bring the disruption caused during this time to an end as quickly as possible.”
Following the attack, Synnovis applied for an injunction against the misuse or further distribution of the stolen data, meaning it could not be legally released, although that does not mean it was not misused.
In the meantime, patients at affected NHS trusts should remain vigilant and be alert to unsolicited approaches, suspicious calls and emails, particularly those asking for personal or financial details.
Synnovis said patients can be assured that there is no evidence that Qilin's interest in its business or the stolen data continues, and said there was no evidence that the compromised data was misused against any individuals.
No ransom
In its latest update, Synnovis also said that it did not pay Qilin a ransom. It said: “This decision, made in collaboration with our NHS Trust partners, reflects our commitment to ethical principles and our refusal to fund future cybercriminal activity that threatens critical infrastructure, patient privacy and national security.”
