Ransomware Attack on Synnovis Disrupts NHS Services and Raises Data Security Questions

A ransomware attack on Synnovis, a pathology services provider to several NHS trusts in London, has caused widespread disruption across hospital services, with implications for patient care and data security. The incident forced the cancellation of non-urgent operations, delays in test results, and the diversion of emergency patients to alternate facilities.

NHS England acknowledged the attack in a formal statement, confirming that the perpetrators claimed to have published some stolen internal data. The National Crime Agency has not yet verified the published records. The attack, attributed to the Qilin ransomware gang, led to Synnovis halting access to IT systems, impacting its ability to process urgent blood tests and causing knock-on effects across the healthcare network.

One NHS statement described the situation bluntly: “the perpetrators of the criminal attack have now claimed they have published some stolen internal data.” The statement emphasised that investigations are underway into both the data exfiltration and the disruption of services.

Hospital trusts including King’s College, Guy’s and St Thomas’, and other associated facilities were impacted. Some elective procedures were cancelled or postponed, and hospitals declared critical incidents to manage emergency care under constrained capacities.

From the technical side, one report outlined how the ransomware attack traced back to Synnovis' pathology systems, where attackers locked access to vital lab data. The malware’s effects forced staff to revert to manual processes to maintain some continuity of operations.

In a later development, UK health authorities confirmed that the attack contributed to a patient’s death at King’s College Hospital. Officials indicated that delays in obtaining critical blood test results were among the contributing factors. Mark Dollar, CEO of Synnovis, issued a statement expressing sorrow, saying: “We are deeply saddened to hear that last year’s criminal cyberattack has been identified as one of the contributing factors that led to this patient’s death.”

Financially, the consequences have been substantial. Synnovis estimated damages of more than £32 million from the disruption, recovery costs, lost contracts, and reputational impact. The attack also exposed approximately 400 GB of patient data, which the attacker published publicly after Synnovis refused to meet ransom demands.

Security analysts have singled out this incident as indicative of how deeply integrated clinical operations are with IT infrastructure - and how failure in one link can cascade across health systems. One expert in threat research at Secureworks noted that the attack “highlighted the vulnerability of the health sector, because its troves of data make it a prime target.”

As investigations proceed, regulators and oversight bodies will likely scrutinise Synnovis’ security practices, including third-party risk assessments, incident response planning, segmentation of lab systems, and data access controls. The case is expected to inform future guidance for health sector organisations and data processors, especially under regimes like UK GDPR and frameworks such as ISO 27001.

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).