Pathology supplier Synnovis is contacting NHS organisations which had data stolen and published online following a major cyber attack last year.
The ransomware attack on 4 June 2024, which led to a patient death, caused widespread disruption to NHS services in London including thousands of delayed appointments at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust and delays to blood testing in primary care.
Synnovis has now completed its investigation into patient and staff data published online by the cyber criminal gang on 20 June 2024, which includes personal data such as names, NHS numbers, test results and test codes that indicate the nature of tests requested.
The stolen data also includes information originating from Synnovis’ administrative working drive which supported the firm’s corporate and business support activities.
Mark Dollar, chief executive at Synnovis, said in a statement: “It has taken more than a year of painstaking investigation to decipher and piece together the data stolen in this smash-and-grab cyberattack.
“I’ve seen first-hand the scale of the challenge – even for leading cyber experts – to tackle the random and fragmented nature of the data scraped from our systems.
“Our focus now turns to notifying the organisations affected. We are offering our full support as they determine their next steps, including dedicated contact points, supporting materials and a website we’ll keep updated with relevant information.”
In an update on 10 November 2025, NHS England said that the investigation has taken Synnovis “more than a year to complete because the stolen data was “unstructured, incomplete and fragmented”.
Synnovis said that the data stolen is separate to the database which supports laboratory operations and holds the majority of test requests and results.
It has begun notifying organisations which had data stolen, including NHS hospitals, GP practices and clinics, with the process expected to conclude by 21 November 2025.
These providers will review copies of the stolen data to understand what it contains, who it may identify and if individuals need to take any steps because of their data being impacted.
NHSE said that once each organisation has assessed the impacted data they may contact patients via “letters to individual patients, a statement on their website or other forms of communication”.
In a statement, King’s College Hospital NHS Foundation Trust said: “We have now received notification from Synnovis regarding the impact of the cyber attack on their systems and are the scope of affected data.
“We are carefully reviewing and scrutinising all available information provided by Synnovis to fully understand the implications of the data breach and the specific data that may have been affected.
“Once our analysis is complete, we will notify affected individuals where appropriate.”
It added that the trust is “committed to safeguarding patient and staff data”.
Last month, cyber security expert Saif Abed, founding partner at the AbedGraham Group, called for a public inquiry into the Synnovis attack and urged NHS leaders to write to MPs requesting an investigation into NHS cyber security and patient safety following the critical incident.
