Pathology services provider Synnovis has confirmed that patient personal information was stolen in a June 2024 ransomware attack that disrupted the operations of several London hospitals.
Formed as a partnership between King’s College Hospitals NHS Trust, Guy’s and St Thomas’ NHS Foundation Trust, and SYNLAB, the organization provides pathology laboratory services to hospitals, mainly in southeast London.
The ransomware attack on Synnovis occurred on June 3 and affected all IT systems, interrupting its services and forcing hospitals to cancel operations and send patients away.
Synnovis did not pay a ransom but worked with authorities and cyber experts to contain and investigate the attack. It rebuilt the affected IT infrastructure from scratch and was able to restore all impacted services by late 2024.
On June 20, 2024, the Qilin ransomware gang claimed responsibility for the attack. The group has published roughly 400 gigabytes of data allegedly stolen from Synnovis.
“During the incident, data was stolen in haste and in a random manner from Synnovis’ working drives. No data was taken from our primary lab databases,” the pathology services provider explains.
“Synnovis took urgent steps to limit the impact, including obtaining an injunction to protect patients, colleagues and service users by preventing further publication of the data,” it says. The injunction allowed it to have the data removed from the locations where it was shared.
According to Synnovis, the investigation into the type of stolen information took over a year to complete, because the data was “unstructured, incomplete and fragmented, and often very difficult to understand”.
However, it believes that partner organizations should be able to ‘enrich’ the data and link it to individual patients where Synnovis could not.
The compromised personal information, it says, includes names, dates of birth, and NHS numbers. In some cases, test results were also compromised.
“This data appeared in a variety of formats including simple test results, test codes, numerical results, reference ranges, narrative information or a range of these,” the organization explains.
The medical services provider says it has no evidence that the stolen data has been misused, nor that the “cybercriminal’s interest in Synnovis or the data is ongoing”.
Synnovis says it has started notifying the organizations affected by the data breach and expects to complete the notification process by November 21.
However, it will not notify patients directly. Instead, each of the impacted organizations should decide whether to inform its patients of the data breach.
Related: Automotive IT Firm Hyundai AutoEver Discloses Data Breach
Related: Nikkei Says 17,000 Impacted by Data Breach Stemming From Slack Account Hack
