The June 3 cyberattack crippled all of Synnovis’s IT systems, forcing hospitals to cancel operations and turn patients away. Synnovis refused to pay the ransom, opting instead to collaborate with authorities and cybersecurity specialists to contain and investigate the breach. The organization undertook the significant task of completely rebuilding its compromised IT infrastructure, successfully restoring all affected services by late 2024.
The Qilin ransomware group claimed responsibility for the attack on June 20, 2024, subsequently publishing an alleged 400 gigabytes of data stolen from Synnovis. The provider stated that the stolen data was hastily and randomly taken from its working drives, confirming that no information was taken from its primary lab databases. Synnovis immediately secured a legal injunction to protect patients and service users, successfully leading to the removal of the shared data from public locations.
Investigating the full extent of the data theft was a challenging process, taking over a year due to the stolen information being “unstructured, incomplete and fragmented.” Synnovis determined that the compromised personal information included patient names, dates of birth, and NHS numbers. In certain instances, test results were also compromised, appearing in various formats such as simple test results, numerical results, and narrative information.
Synnovis expressed belief that its partner organizations might be able to ‘enrich’ the fragmented data and connect it to specific patients where the pathology provider could not. While Synnovis has found no evidence that the stolen data has been misused or that the cybercriminals’ interest is ongoing, it has begun notifying the affected organizations. Synnovis will not directly notify individual patients, deferring that decision to each of the impacted organizations, with the entire notification process expected to be completed by November 21.
Reference:
