Synnovis has finally wrapped up its investigation into the 2024 ransomware attack that crippled pathology services across London, ending an 18-month effort to untangle what the NHS supplier describes as one of the most complex data reconstruction jobs it has ever faced.
The attack, claimed at the time by the Qilin ransomware gang, forced the cancellation of thousands of appointments and operations after the pathology provider’s systems went dark in June 2024. Synnovis has now confirmed that its forensic review is complete, but the company still isn’t saying how many people were affected.
Security firm CaseMatrix previously estimated that data relating to more than 900,000 NHS patients was leaked, according to Recorded Future, though Synnovis has neither corroborated nor disputed that figure.
Cancer patient forced to make terrible decision after Qilin attack on London hospitals
READ MORE
Notably, in June 2025, King’s College Hospital NHS Trust confirmed that the disruption caused by Synnovis’s supplier breach contributed to the death of a patient – a finding that marks one of the rare occasions a ransomware incident has been linked to a fatality.
In a statement published this week, Synnovis said the investigation “took more than a year to complete because the compromised data was unstructured, incomplete and fragmented, and often very difficult to understand.” It added that specialist incident response teams had to use “highly specialized platforms and bespoke processes” to work through terabytes of jumbled information and identify which healthcare providers’ patients were affected.
Synnovis CEO Mark Dollar said: “It has taken more than a year of painstaking investigation to decipher and piece together the data stolen in this smash-and-grab cyberattack. I’ve seen first hand the scale of the challenge – even for leading cyber experts – to tackle the random and fragmented nature of the data scraped from our systems.”
Synnovis said it will finish notifying all NHS organizations that relied on its pathology services by November 21, telling them whether patient data they entrusted to the company was caught up in the breach. Under UK data protection law, it will then be up to those hospitals, GP surgeries, and clinics to inform individual patients.
The company warned that patients may be waiting a while yet. “It may take some time for healthcare providers to notify impacted patients,” it said. “We recommend checking the website of your healthcare provider(s) for any relevant updates.”
While the Qilin crew dumped stolen files online last summer, Synnovis stressed that the haul was taken “in haste from a working drive, in a random and untargeted manner.” It said attackers did not access its primary laboratory database and instead made off with whatever files they could grab during the intrusion.
Some documents contained fragments of personal data, such as NHS numbers, names or dates of birth, according to Synnovis’s dedicated cyberattack website, while a “very small amount” included test results that investigators could match to a specific person. “The majority of test results would require clinical knowledge or further enrichment to interpret,” Synnovis said, adding that they lacked the kind of clear positive/negative flags that would make them easy to misuse.
Synnovis also said the stolen data “has never been available in a form that could easily be used by anyone with ill intent,” although even partial personal or medical information can be valuable to fraudsters or foreign intelligence services when combined with data from other breaches.
The company reiterated that it did not pay a ransom to Qilin, saying the decision was made jointly with the NHS trusts it serves. “This decision… reflects our commitment to ethical principles and the rejection of funding future cybercriminal activities that threaten critical infrastructure, patient privacy, and national security,” Synnovis said, though it declined to reveal the ransom amount demanded.
The Qilin gang has targeted health providers, schools, manufacturers, and local governments using double-extortion tactics. The group typically exfiltrates large volumes of data before encrypting systems, then threatens to publish the stolen material if victims refuse to pay.
Write-back to aging UK health systems lessens benefits of Palantir-based platform
READ MORE
The group, believed to be of Russian origin, told The Register that its attack on Synnovis was deliberate, saying “all of our attacks are not accidental” and that “we choose only those companies whose management is directly or indirectly affiliated with the political elites of a particular country.”
Synnovis said its forensic investigation could not determine how the attackers first gained entry. All affected infrastructure has since been replaced, and the company maintains that none of the compromised systems remain in use. That lack of clarity over initial access is likely to raise further questions for NHS England, which has faced mounting scrutiny over the security of suppliers embedded in frontline care.
For patients, however, the wait for answers continues. With Synnovis passing responsibility for notifications to the hundreds of NHS organizations it supports, the timeline for individual disclosures will now vary depending on how quickly each provider processes the company’s findings. At the very least, it brings to a close one of the longest and most disruptive incident investigations in recent NHS history – albeit without resolving how nearly a million people’s data ended up in criminals’ hands. ®