Synnovis notifies of data breach after 2024 ransomware attack

Synnovis, a leading UK pathology services provider, is notifying healthcare providers that a data breach occurred following a ransomware attack in June 2024, which resulted in the theft of some patients’ data.

Formerly known as Viapath, Synnovis was founded as GSTS Pathology in 2009. A new entity, called Synnovis, was created in October 2022 as a partnership between international medical diagnostics provider SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust, and King’s College Hospital NHS Foundation Trust.

Synnovis provides pathology services to UK healthcare organisations, including the National Health Service (NHS).

Synnovis is now reaching out to affected organizations, including NHS hospitals and clinics, but will not contact patients directly. Patient notifications will be handled by the impacted NHS organizations, as required by UK data protection law.

“We have now begun notifying the organisations whose data was affected and expect to conclude this process by 21 November 2025. This marks the latest stage of investigation that has taken a large team of forensic experts and data specialists over a year to complete,” Synnovis said in a Monday press release.

“The stolen data was unstructured, incomplete and fragmented, requiring the use of highly specialised platforms and bespoke processes to piece it together – factors which heavily influenced the duration of the investigation.”

The stolen data includes personal information, such as the affected patients’ NHS numbers, names, dates of birth, and, in some cases, test results that could be matched to an individual. However, Synnovis says the majority of the stolen information requires “clinical knowledge or further enrichment to interpret.”

Breach linked to the Qilin ransomware gang

On June 3, 2024, Synnovis was hit by a ransomware attack with “major impact” on procedures and operations at multiple major NHS hospitals in London, including King’s College Hospital, Guy’s Hospital, St Thomas’ Hospital, Royal Brompton Hospital, and Evelina London Children’s Hospital.

Non-emergency pathology appointments and blood transfusions at the impacted London hospitals have been either canceled, postponed, or redirected to other providers. The incident also led to blood shortages in London and forced affected hospitals to cancel over “800 planned operations and 700 outpatient appointments.”

On June 20, 2024, the attackers released data allegedly stolen from Synnovis’ system, prompting the company to notify the Information Commissioner’s Office and secure a legal injunction against further use.

While Synnovis has yet to name the threat group behind last year’s ransomware attack, the incident was linked to the Qilin ransomware operation by Ciaran Martin, the founder and first CEO of the National Cyber Security Centre (NCSC).

On a dedicated site, the company confirmed that it didn’t pay a ransom following the incident, following a joint decision with its NHS Trust partners that “reflects our commitment to ethical principles and the rejection of funding future cybercriminal activities that threaten critical infrastructure, patient privacy, and national security.”

“We are in the process of notifying organisations about their stolen data so that they can conduct any appropriate analysis of its impact on their patients,” a Synnovis spokesperson told BleepingComputer after the article was published.

“While we are offering support and guidance to affected organisations during this process, it would not be appropriate for us to make any assumptions on how each of these organisations will define patient impact.”

Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the “Agenda” name and has since claimed responsibility for more than 300 victims on its dark web leak site, including automotive giant Yangfeng and publishing giant Lee Enterprises.

Update November 12, 08:08 EST: Added Synnovis statement.