Synnovis Ransomware Attack Disrupts NHS Pathology Services, Exposes 300M Patient Records
In June 2024, UK pathology provider Synnovis a critical supplier of blood, urine, and specimen testing for NHS trusts and private healthcare organizations suffered a ransomware attack by the Qilin group, a Russian-linked cybercriminal operation. The attack, which occurred on June 3, encrypted Synnovis’ systems and exfiltrated data before locking files, causing widespread disruption to NHS services across London and beyond.
Impact on Healthcare Services
The attack paralyzed Synnovis’ IT infrastructure, forcing Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust two of the UK’s busiest hospital networks to cancel over 10,000 appointments, including 1,134 planned operations, 2,194 outpatient visits, 100+ cancer treatments, and 18 organ transplants in the first two weeks alone. Blood testing capacity plummeted to 10% of normal levels, leading to a nationwide shortage of O-negative blood as hospitals prioritized emergency cases.
The disruption extended to GP surgeries, mental health services (South London and Maudsley NHS Trust), and private healthcare providers, with Synnovis estimating a full recovery would take months. By November 2024, the company had rebuilt 75+ applications, migrated core systems to the cloud, and restored 65+ scientific analyzers across seven locations.
Data Breach & Ransom Demands
Qilin exfiltrated 400GB of data before encrypting Synnovis’ systems, later leaking it on the dark web after the $50 million ransom deadline expired. The stolen data includes 300 million patient interactions, encompassing blood test results, HIV/STI diagnoses, cancer screenings, and personally identifiable information. While Synnovis confirmed no data was taken from its primary lab databases, the breach exposed records from both NHS and private healthcare patients, raising risks of extortion attempts against individuals with sensitive diagnoses.
Synnovis refused to pay the ransom, citing ethical concerns and the risk of funding further attacks. The National Crime Agency (NCA), National Cyber Security Centre (NCSC), and Information Commissioner’s Office (ICO) were notified, with authorities considering retaliatory action against Qilin.
Investigation & Recovery Challenges
A 17-month forensic review revealed the attackers randomly stole data from working drives, complicating the identification of affected individuals. Synnovis developed custom systems to reconstruct the data, completing notifications to affected organizations by November 21, 2025. Under UK law, individual NHS trusts not Synnovis will determine whether patients must be notified, with any direct communications from Synnovis flagged as potential scams.
The attack’s entry point remains unknown, though Qilin claimed to have exploited a zero-day vulnerability. Synnovis replaced all compromised IT infrastructure and stressed that the exfiltrated data was not in a readily usable format for malicious actors.
Broader Context
This incident follows a separate April 2024 attack on Synnovis by the BlackBasta ransomware group, which also leaked stolen data after a ransom went unpaid. The NHS has faced 215 ransomware attacks since 2019, with 2023 marking a record high in UK cyber incidents. The Synnovis breach underscores the vulnerability of critical healthcare infrastructure to financially motivated cyber threats, particularly those targeting third-party service providers.
Guy’s and St Thomas’ NHS Foundation Trust TPRM report: https://www.rankiteo.com/company/guys-and-st-thomas-nhs-foundation-trust
Synnovis TPRM report: https://www.rankiteo.com/company/synnovis
"id": "synguy1771180010",
"linkid": "synnovis, guys-and-st-thomas-nhs-foundation-trust",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'customers_affected': 'NHS trusts, private healthcare '
'organizations, GP surgeries, '
'mental health services',
'industry': 'Healthcare',
'location': 'United Kingdom',
'name': 'Synnovis',
'type': 'Pathology service provider'},
{'customers_affected': 'Patients requiring blood tests, '
'surgeries, and outpatient care',
'industry': 'Healthcare',
'location': 'London, UK',
'name': 'Guy’s and St Thomas’ NHS Foundation Trust',
'type': 'NHS Hospital Trust'},
{'customers_affected': 'Patients requiring blood tests, '
'surgeries, and outpatient care',
'industry': 'Healthcare',
'location': 'London, UK',
'name': 'King’s College Hospitals NHS Trust',
'type': 'NHS Hospital Trust'},
{'customers_affected': 'Mental health service patients',
'industry': 'Healthcare',
'location': 'London, UK',
'name': 'South London and Maudsley NHS Trust',
'type': 'NHS Mental Health Trust'}],
'customer_advisories': 'Patients advised to verify communications from NHS '
'trusts regarding the breach',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes (400GB exfiltrated)',
'number_of_records_exposed': '300 million patient '
'interactions',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (medical and personally '
'identifiable information)',
'type_of_data_compromised': ['Blood test results',
'HIV/STI diagnoses',
'Cancer screenings',
'Personally identifiable '
'information']},
'date_detected': '2024-06-03',
'description': 'In June 2024, UK pathology provider Synnovis, a critical '
'supplier of blood, urine, and specimen testing for NHS trusts '
'and private healthcare organizations, suffered a ransomware '
'attack by the Qilin group, a Russian-linked cybercriminal '
'operation. The attack encrypted Synnovis’ systems and '
'exfiltrated data, causing widespread disruption to NHS '
'services across London and beyond.',
'impact': {'brand_reputation_impact': 'Significant impact on NHS and private '
'healthcare providers',
'data_compromised': '400GB of data exfiltrated, including 300 '
'million patient interactions',
'downtime': 'Months for full recovery',
'identity_theft_risk': 'High (exposure of personally identifiable '
'information)',
'operational_impact': 'Over 10,000 appointments canceled, '
'including 1,134 planned operations, 2,194 '
'outpatient visits, 100+ cancer treatments, '
'and 18 organ transplants. Blood testing '
'capacity reduced to 10% of normal levels.',
'systems_affected': 'IT infrastructure, 75+ applications, 65+ '
'scientific analyzers across seven locations'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (data leaked on dark '
'web after ransom deadline '
'expired)'},
'investigation_status': 'Ongoing (17-month forensic review completed, '
'notifications sent to affected organizations)',
'lessons_learned': 'Vulnerability of critical healthcare infrastructure to '
'third-party service provider attacks; challenges in '
'identifying and notifying affected individuals due to '
'random data exfiltration; importance of robust incident '
'response and recovery plans.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Replaced all compromised IT '
'infrastructure; developed '
'custom systems to '
'reconstruct data; enhanced '
'security protocols for '
'future incidents',
'root_causes': 'Exploitation of zero-day '
'vulnerability (claimed); lack of '
'robust third-party vendor security '
'measures'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': '$50 million',
'ransom_paid': 'No',
'ransomware_strain': 'Qilin'},
'recommendations': 'Enhance cybersecurity measures for third-party vendors; '
'improve data protection and encryption; develop clearer '
'protocols for patient notifications in large-scale '
'breaches; invest in zero-day vulnerability detection and '
'mitigation.',
'references': [{'source': 'Synnovis incident reports'},
{'source': 'NHS cyber incident records'}],
'regulatory_compliance': {'legal_actions': 'Authorities considering '
'retaliatory action against Qilin',
'regulatory_notifications': 'ICO notified'},
'response': {'communication_strategy': 'Notifications to affected '
'organizations completed by November '
'21, 2025; individual patient '
'notifications to be determined by NHS '
'trusts',
'containment_measures': 'System encryption, data exfiltration '
'prevention (post-breach)',
'law_enforcement_notified': 'National Crime Agency (NCA), '
'National Cyber Security Centre '
'(NCSC), Information Commissioner’s '
'Office (ICO)',
'recovery_measures': 'Full recovery estimated to take months, '
'ongoing as of November 2024',
'remediation_measures': 'Rebuilt 75+ applications, migrated core '
'systems to the cloud, restored 65+ '
'scientific analyzers'},
'stakeholder_advisories': 'NHS trusts advised to determine patient '
'notifications; Synnovis warnings about potential '
'scam communications',
'threat_actor': 'Qilin group',
'title': 'Synnovis Ransomware Attack Disrupts NHS Pathology Services, Exposes '
'300M Patient Records',
'type': 'Ransomware',
'vulnerability_exploited': 'Zero-day vulnerability (claimed by Qilin)'}