Overview
- Synnovis says its forensic investigation has concluded and notifications to affected organisations are underway, due to finish by November 21, 2025.
- Under UK data protection law, Synnovis will not contact patients directly and NHS organisations will assess the impact and decide if notifications are required.
- The stolen material includes patient identifiers and some test results, with Synnovis reporting that most of the data is unstructured and difficult to interpret without clinical context.
- The incident is linked to the Qilin ransomware group, with roughly 400GB allegedly leaked on June 20, 2024; Synnovis sought a legal injunction, notified the ICO, worked with the NCA, and says it did not pay a ransom.
- The 2024 attack caused severe disruption to London hospital services, including blood shortages and extensive cancellations, and reporting has linked the incident to at least one fatality.