Pathology provider Synnovis is contacting NHS organisations which had knowledge stolen and printed on-line following a significant cyber assault final yr.
The ransomware assault on 4 June 2024, which led to a affected person demise, induced widespread disruption to NHS companies in London together with 1000’s of delayed appointments at King’s School Hospital NHS Basis Belief and Man’s and St Thomas’ NHS Basis Belief and delays to blood testing in main care.
Synnovis has now accomplished its investigation into affected person and workers knowledge printed on-line by the cyber prison gang on 20 June 2024, which incorporates private knowledge corresponding to names, NHS numbers, check outcomes and check codes that point out the character of checks requested.
The stolen knowledge additionally contains data originating from Synnovis’ administrative working drive which supported the agency’s company and enterprise help actions.
Mark Greenback, chief govt at Synnovis, stated in a assertion: “It has taken greater than a yr of painstaking investigation to decipher and piece collectively the info stolen on this smash-and-grab cyberattack.
“I’ve seen first-hand the size of the problem – even for main cyber consultants – to deal with the random and fragmented nature of the info scraped from our techniques.
“Our focus now turns to notifying the organisations affected. We’re providing our full help as they decide their subsequent steps, together with devoted contact factors, supporting supplies and an internet site we’ll hold up to date with related data.”
In an replace on 10 November 2025, NHS England stated that the investigation has taken Synnovis “greater than a yr to finish as a result of the stolen knowledge was “unstructured, incomplete and fragmented”.
Synnovis stated that the info stolen is separate to the database which helps laboratory operations and holds nearly all of check requests and outcomes.
It has begun notifying organisations which had knowledge stolen, together with NHS hospitals, GP practices and clinics, with the method anticipated to conclude by 21 November 2025.
These suppliers will evaluation copies of the stolen knowledge to know what it accommodates, who it could determine and if people must take any steps due to their knowledge being impacted.
NHSE stated that after every organisation has assessed the impacted knowledge they might contact sufferers by way of “letters to particular person sufferers, an announcement on their web site or different types of communication”.
In a assertion, King’s School Hospital NHS Basis Belief stated: “We have now now acquired notification from Synnovis concerning the impression of the cyber assault on their techniques and are the scope of affected knowledge.
“We’re fastidiously reviewing and scrutinising all out there data supplied by Synnovis to totally perceive the implications of the info breach and the precise knowledge which will have been affected.
“As soon as our evaluation is full, we’ll notify affected people the place acceptable.”
It added that the belief is “dedicated to safeguarding affected person and workers knowledge”.
Final month, cyber safety knowledgeable Saif Abed, founding accomplice on the AbedGraham Group, referred to as for a public inquiry into the Synnovis assault and urged NHS leaders to write down to MPs requesting an investigation into NHS cyber safety and affected person security following the crucial incident.
