An NHS pathology provider that was hit by ransomware in one of the worst breaches of 2024 has finally begun to notify its clients about how much data was stolen.
A ransomware attack on Synnovis in June 2024 led to blood supply shortages and the cancellation of 10,000 acute outpatient appointments and over 1700 elective operations in London and the South East. At least one fatality has been linked to the attack perpetrated by a Qilin affiliate.
On June 20 2024, threat actors from the group published 400GB of data they claimed was exfiltrated from the firm, including patient names, NHS numbers and descriptions of blood tests.
As the company refused to pay its extorters, it’s presumed the stolen data was subsequently sold on the cybercrime underground.
Read more on Synnovis breach: Synnovis Restores Systems After Cyber-Attack, But Blood Shortages Remain
However, the extent of the breach has until now been a mystery, although some estimates put the number at around one million patients.
Synnovis said in an update this week that it was now in the process of notifying the affected data controllers – which in this case will be its NHS customers.
“Each affected organization will, under UK data protection laws, decide if any patients need to be notified and how they will make those notifications,” it added.
The process will be completed by November 21, although the data controllers themselves will need time to sift through the relevant information before they notify impacted patients.
Complexity and Delays
Synnovis blamed the delay on the “exceptional scale and complexity” of the investigation, adding that during the attack “data was stolen in haste and in a random manner from Synnovis’ working drives.”
Its statement continued: “This investigation has taken more than a year to complete because the compromised data was unstructured, incomplete and fragmented, and often very difficult to understand. We appointed cybersecurity experts who had to use highly specialized platforms and bespoke processes to piece it together.”
However, experts have slammed the slow pace of progress.
Damon Small, a board member at Xcape, described the 17-month delay as “a completely unacceptable failure” in incident response.
“The human impact, including a patient death and severe service interruptions, far surpasses the complexities of the forensic investigation,” he added.
“When a vendor fails, the clock on patient safety and privacy must start immediately, not 17 months later.”
Denis Calderone, COO at Suzu, argued that the delay is likely due to poor data management.
“Unstructured and fragmented data isn’t a valid excuse; it’s evidence of inadequate data management. If you can’t quickly identify compromised information, you’ve fundamentally failed basic data governance,” he added.
“Incident response in healthcare is genuinely difficult, but when a breach reportedly contributes to patient deaths and impacts nearly a million people, the industry needs more than lessons learned behind closed doors. We need transparency that helps others defend themselves.”