Synnovis, a leading UK pathology services provider, is notifying healthcare providers that a data breach occurred following a ransomware attack in June 2024, which resulted in the theft of some patients’ data.
Synnovis is now reaching out to affected organizations, including NHS hospitals and clinics, but will not contact patients directly. Patient notifications will be handled by the impacted NHS organizations, as required by UK data protection law.
“The stolen data was unstructured, incomplete and fragmented, requiring the use of highly specialised platforms and bespoke processes to piece it together – factors which heavily influenced the duration of the investigation.”
The stolen data includes personal information, such as the affected patients’ NHS numbers, names, dates of birth, and, in some cases, test results that could be matched to an individual. However, Synnovis says the majority of the stolen information requires “clinical knowledge or further enrichment to interpret.”
Breach linked to the Qilin ransomware gang
On June 3, 2024, Synnovis was hit by a ransomware attack with “major impact” on procedures and operations at multiple major NHS hospitals in London, including King’s College Hospital, Guy’s Hospital, St Thomas’ Hospital, Royal Brompton Hospital, and Evelina London Children’s Hospital.
Non-emergency pathology appointments and blood transfusions at the impacted London hospitals have been either canceled, postponed, or redirected to other providers. The incident also led to blood shortages in London and forced affected hospitals to cancel over “800 planned operations and 700 outpatient appointments.”
On June 20, 2024, the attackers released data allegedly stolen from Synnovis’ system, prompting the company to notify the Information Commissioner’s Office and secure a legal injunction against further use.
While Synnovis has yet to name the threat group behind last year’s ransomware attack, the incident was linked to the Qilin ransomware operation by Ciaran Martin, the founder and first CEO of the National Cyber Security Centre (NCSC).
(Source: Bleepingcomputers)
