Brinztech Alert: Synnovis Confirms Patient Data (NHS Numbers) Stolen in 2024 Qilin Ransomware Attack

Public Breach Analysis

A public press release from Synnovis, a critical UK pathology services provider for the NHS, has confirmed that patient data was stolen during the catastrophic Qilin ransomware attack in June 2024. This is not a new breach, but the official confirmation and notification of the data theft, which has taken a 17-month forensic investigation to piece together.

The initial ransomware attack, which occurred on June 3, 2024, was one of the most disruptive cyberattacks in UK history. It caused a “major impact” on London hospitals (including Guy’s, St Thomas’, and King’s College), leading to over 800 canceled operations, 700 canceled appointments, and severe blood shortages.

The Qilin ransomware group, which took responsibility, released the stolen data on June 20, 2024, after Synnovis and its NHS partners refused to pay the ransom. According to Synnovis, the stolen data was “unstructured, incomplete and fragmented,” which is why it has taken a large team of experts until November 2025 to fully analyze the scope of the breach.

Synnovis is now notifying the affected NHS organizations, who will in turn be responsible for notifying the impacted patients by November 21, 2025.

Key Cybersecurity Insights

This incident provides critical, long-term lessons on ransomware and third-party risk:

• Critical Infrastructure as a Kinetic Target: This is a textbook example of a cyberattack causing real-world, kinetic harm. The Qilin group’s attack did not just steal data; it crippled essential health services, canceled surgeries, and risked patient lives.
• The “Long Tail” of Breach Analysis: The 17-month delay between the attack and full notification highlights a modern reality. Breaches involving massive, “unstructured” data (like documents, PDFs, and fragmented files) are infinitely harder to analyze than a clean SQL database leak. The full scope of a breach is often not known for more than a year.
• Catastrophic Supply Chain (TPRM) Failure: The NHS trusts themselves were not the primary target; their critical third-party partner was. This attack underscores that an organization’s security is only as strong as the weakest link in its digital supply chain.
• The “No-Ransom” Stance: Synnovis and its NHS partners’ joint decision to refuse the ransom is a critical ethical and strategic stance. While it resulted in the data being leaked, it prevented millions from funding future criminal activities and demonstrated resilience, likely due to robust (even if slow to restore) backup systems.

Mitigation Strategies

While this breach is 17 months old, the mitigation strategies for both affected patients and other organizations are critical:

• For Affected Patients (Once Notified): Assume all leaked data (NHS number, name, DOB, test results) is being actively used by criminals. Be on extreme high alert for sophisticated phishing, vishing (voice), and smishing (SMS) attacks that use this data to impersonate the NHS, clinics, or insurance companies.
• Strengthen Third-Party Risk Management (TPRM): For all organizations, especially in critical sectors, this is the primary lesson. You must conduct rigorous, continuous security audits of all third-party vendors who have access to your network or handle your sensitive data.
• Implement Ransomware Defense-in-Depth:
  • Network Segmentation: Prevent attackers from moving laterally from a less-secure partner network into your core systems.
  • Multi-Factor Authentication (MFA): Enforce MFA everywhere to block initial access via stolen credentials.
  • EDR & Monitoring: Deploy advanced Endpoint Detection and Response (EDR) to detect the TTPs of groups like Qilin before they can deploy ransomware.
• Maintain Offline, Immutable Backups: The ability to refuse a ransom demand comes from one place: having secure, tested, and offline (or immutable) backups that the attackers cannot encrypt or delete.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@mediumpurple-wildcat-111756.hostingersite.com