Synnovis Data Breach Exposes Patient Information and Pathology Records

The Synnovis data breach is one of the most significant healthcare cybersecurity incidents in recent UK history. Synnovis, a major pathology services partnership that serves the National Health Service, has completed a year long forensic review of the stolen data taken during the 2024 ransomware incident. The organization has now begun formally notifying healthcare providers about the scope of the breach, the types of data involved, and the potential impact on patients and partner institutions.

This cyberattack did not occur in isolation. It was part of a wider trend of ransomware groups targeting healthcare systems, critical infrastructure, research labs, and national health networks around the world. The event severely disrupted pathology operations across multiple NHS hospitals in London and created one of the largest operational healthcare outages the United Kingdom has ever experienced due to a cyber incident.

In November 2025, Synnovis announced that it had finished the forensic process required to understand the stolen data. The organization confirmed that large volumes of patient information and pathology related files had been compromised. Notifications to affected healthcare institutions began immediately and are scheduled to conclude before 21 November 2025. The Synnovis data breach marks a crucial phase in understanding the true scope of the attack, the long term implications, and the procedures required to mitigate risk across the wider healthcare sector.

Background and Overview of Synnovis

Synnovis is a pathology partnership that plays a vital role in the UK’s medical infrastructure. The organization is jointly operated by:

• Guy’s and St Thomas’ NHS Foundation Trust
• King’s College Hospital NHS Foundation Trust
• SYNLAB, a leading European medical diagnostics provider

Founded in 2021, the partnership provides pathology testing, diagnostics, blood work, and laboratory analysis for a significant portion of London and surrounding regions. These services are essential for hospitals, clinics, specialist centers, outpatient facilities, and NHS care pathways that depend on rapid, accurate diagnostic results.

Because Synnovis holds sensitive medical information, patient test results, and operational pathology data, it is considered a target with both high operational value and high impact potential. Healthcare organizations worldwide are often selected by ransomware groups because the consequences of downtime are severe. These sectors are more likely to experience major disruption from a cyberattack, and criminal groups frequently hope this pressure will result in ransom payment.

Timeline of the 2024 Cyberattack

The Synnovis data breach stems from the ransomware attack that took place in June 2024. According to statements released by Synnovis, the attack immediately crippled core IT systems, pathology networks, and essential internal platforms.

The initial breach caused:

• The shutdown of multiple diagnostic systems
• Widespread disruption across NHS hospitals and clinics
• Canceled or delayed pathology appointments
• Difficulties processing blood transfusions
• Postponed surgical procedures
• Emergency operational responses from affected facilities

The hardest hit institutions included:

• Guy’s Hospital
• St Thomas’ Hospital
• King’s College Hospital
• Royal Brompton Hospital
• Evelina London Children’s Hospital

During the initial disruption period, reports indicated that more than 800 planned surgeries and 700 outpatient appointments had been canceled. Laboratories were forced to redirect services to alternate providers, and some emergency procedures required manual workarounds to compensate for missing diagnostic tools.

Synnovis restored most services by Autumn 2024. However, the forensic review of the stolen data continued well into late 2025.

Completion of the Forensic Review

On 10 November 2025, Synnovis published a formal update confirming that the forensic review of the stolen data was complete. The update is available for public reference on the organisation’s official website at synnovis.co.uk.

According to Synnovis, the stolen data was:

• Highly fragmented
• Unstructured
• Incomplete in many cases
• Distributed across multiple data sets scraped from compromised systems

Because of this, the forensic review required:

• Custom tools designed for data reconstruction
• Specialist forensic teams
• Advanced analytical platforms
• Manual interpretation by clinical professionals and technical experts

The organization emphasized that rebuilding the stolen data into something that could be understood for notification purposes took more than a year and required what they described as significant investigative effort.

What the Stolen Data Contains

While Synnovis has not published a full catalogue of the stolen materials, the organization confirmed that the following categories of information were included in the breach:

• NHS numbers
• Patient names
• Dates of birth
• Internal pathology records
• Diagnostic files that may include test data
• Operational documents that reference patient pathways or clinical procedures

Synnovis noted that much of the stolen data is difficult to interpret without clinical expertise. Many pathology files require technical or scientific knowledge to understand and may not provide clear meaning without being matched with clinical systems. However, personal identifiers were included in some data sets, which elevates the likelihood of long term privacy implications.

How Much Data Was Stolen

While Synnovis did not specify a total data volume, the ransomware group responsible previously posted samples on its leak portal. Key indicators suggest that the attackers obtained a significant amount of sensitive hospital related data, including files of various formats, partial medical test results, and unencrypted administrative documents.

The Attackers and Attribution

Synnovis did not officially name the attacking group. However, several cybersecurity experts, including Ciaran Martin, the former CEO of the UK’s National Cyber Security Centre, attributed the incident to the Qilin ransomware group. Qilin is a ransomware as a service operation that has been active since at least 2022 and is known for high impact attacks.

The group operates through affiliates who select targets, gain initial access, and deploy custom payloads. Qilin has claimed responsibility for hundreds of cyberattacks, including incidents involving major global corporations and public sector institutions.

Why Synnovis and the NHS Were Targeted

Healthcare organizations remain prime targets for ransomware attackers. The Synnovis data breach reflects several important factors that make these institutions vulnerable:

• Critical reliance on uninterrupted digital systems
• Large volumes of highly sensitive personal information
• Complex, interconnected networks that are difficult to secure end to end
• Long life cycles for medical hardware and legacy software
• Limited downtime tolerance

Ransomware groups often select healthcare partners because the operational consequences can create immense pressure to pay. In the case of Synnovis, the organization publicly stated that it refused to pay the ransom, citing ethical commitments and the need to avoid supporting future cybercriminal operations.

Notification Process and Legal Obligations

Synnovis confirmed that notifications have begun and will continue through 21 November 2025. The notification process involves informing:

• NHS hospitals
• Clinics and specialist centers
• Healthcare organizations that relied on Synnovis services

Under UK law, Synnovis does not notify patients directly. Instead, each NHS organization is responsible for evaluating the breach impact on their own patient populations and determining whether individual notification is required.

Synnovis reaffirmed that it never had access to NHS patient record systems and that the compromised data did not include full clinical histories or file structures stored directly by NHS trusts.

Regulations and Government Involvement

The Synnovis data breach involves compliance with several UK legal frameworks, including:

• The Data Protection Act 2018
• The UK GDPR
• NHS cybersecurity and data governance regulations

The Information Commissioner’s Office was previously notified after the initial data leak. The National Cyber Security Centre also provides official guidance for individuals concerned about data exposure, including recommendations for fraud prevention, password changes, and vigilance against phishing attempts.

Impact on Patients and Healthcare Providers

The Synnovis data breach does not affect direct clinical systems, but it does impact sensitive data that may include:

• Personal identifiers
• Associations with diagnostic tests
• Metadata from pathology workflows
• Procedural documents referencing clinical processes

Affected healthcare providers must now:

• Review the stolen data relevant to their facilities
• Determine notification requirements for their patients
• Evaluate risk exposure and implement mitigation measures

This process will continue for months, given the complexity of the reconstructed data.

Long Term Consequences of the Synnovis Data Breach

The Synnovis data breach raises important concerns for UK healthcare cybersecurity:

• The need for stronger network segmentation across pathology systems
• Better incident response frameworks for high risk healthcare operations
• Higher investment in digital security for NHS partners
• More robust backup strategies for operational continuity
• Widespread review of supply chain cybersecurity requirements

Long term, the event may become a catalyst for more rigorous standards across NHS partner organizations and suppliers, especially those handling diagnostic and clinical data.

How Individuals Can Protect Themselves

The NCSC recommends that individuals concerned about exposure in the Synnovis data breach:

• Monitor accounts and health related correspondence
• Be cautious of unsolicited contact claiming to represent medical providers
• Avoid clicking links in suspicious emails
• Use strong, unique passwords for all accounts
• Enable multi factor authentication where possible
• Scan devices for malware using tools such as Malwarebytes

While the stolen data is primarily clinical and administrative in nature, criminals may attempt to exploit it through fraud, impersonation, or social engineering.

Future Outlook for Synnovis and Associated NHS Trusts

In the months ahead, Synnovis plans to:

• Continue supporting NHS organizations that require help interpreting the breach
• Provide updated materials through their dedicated support website
• Work with internal and external cybersecurity partners to strengthen infrastructure
• Collaborate with regulators and government agencies as required

Healthcare cybersecurity remains one of the most challenging domains due to the combination of critical services, sensitive data, and legacy systems. The Synnovis data breach will likely be studied as a case example for years to come, both for its operational impact and the complexity of reconstructing fragmented stolen data.

For more detailed reporting on global cyber incidents and major data breaches, visit Botcrawl’s full coverage in the data breaches and cybersecurity sections.