NHS Synnovis Data Breach 2024: How Qilin Ransomware Exposed Patient Records

The Attack on Synnovis

Synnovis — a joint venture between Synlab and Guy's and St Thomas' NHS Foundation Trust — provides pathology testing services across southeast London. Qilin compromised Synnovis's IT systems, encrypting critical infrastructure and exfiltrating approximately 400GB of sensitive data before the ransomware was deployed. The attack disrupted blood testing, tissue analysis, and other pathology services that underpin clinical decision-making. Without pathology results, hospitals could not safely proceed with surgeries, transfusions, or diagnoses that depended on laboratory confirmation.

• June 3, 2024: Qilin ransomware deployed against Synnovis systems
• June 4: NHS declares critical incident across southeast London trusts
• June 5–21: Over 10,000 outpatient appointments postponed or cancelled
• June 5–21: Approximately 1,700 elective surgical procedures delayed
• June 20: Qilin publishes approximately 400GB of stolen data on dark web
• Impact persisted for weeks as pathology services were gradually restored

What Data Was Exfiltrated and Published

Qilin published the stolen data after Synnovis refused to pay the ransom. The dataset included patient names, dates of birth, NHS numbers, blood test results, and referral details linking patients to specific medical conditions. Blood test results are particularly sensitive because they can reveal HIV status, pregnancy, drug use, genetic conditions, and other deeply personal medical information. The publication of this data on Qilin's leak site — accessible to anyone with a Tor browser — represents one of the most damaging healthcare data exposures in UK history. Affected patients face risks of discrimination, blackmail, and psychological harm that extend far beyond typical financial data breaches.

Supply Chain Vulnerability in Healthcare

The Synnovis attack followed a pattern seen repeatedly in healthcare: the target was not a hospital directly but a third-party service provider with deep access to patient systems and data. Synnovis held pathology data for millions of patients across multiple NHS trusts. A single compromise of this supply chain node disrupted care across an entire region. Healthcare organisations increasingly rely on shared service providers for pathology, radiology, HR, and IT — each one representing a concentration of sensitive data and a single point of failure. The lesson is that healthcare data protection cannot end at the hospital perimeter.

How Anti-Data Exfiltration Addresses Healthcare Risk

The 400GB data exfiltration from Synnovis took time — bulk transfers of this magnitude cannot happen instantaneously, even on fast networks. BlackFog's ADX technology monitors outbound data flows continuously and blocks transfers to unauthorised external destinations. In a healthcare environment, where legitimate outbound data transfers follow predictable patterns (e.g., NHS Spine, approved lab systems), any large-scale transfer to an unknown external endpoint is anomalous and should be blocked automatically. ADX provides the specific control that prevents patient data from leaving the network — the one outcome that transforms a contained security incident into a public data breach.

Frequently Asked Questions