Synnovis, a number one UK pathology companies supplier, is notifying healthcare suppliers {that a} data breach occurred following a ransomware assault in June 2024, which resulted within the theft of some sufferers’ information.
Previously referred to as Viapath, Synnovis was based as GSTS Pathology in 2009 and switched to the Synnovis model in October 2022.
Synnovis is a partnership between worldwide medical diagnostics supplier SYNLAB, Man’s and St Thomas’ NHS Basis Belief, and King’s Faculty Hospital NHS Basis Belief, and it gives pathology companies to UK healthcare organisations, together with the Nationwide Well being Service (NHS).
Synnovis is now reaching out to affected organizations, together with NHS hospitals and clinics, however won’t contact sufferers instantly. Affected person notifications will likely be dealt with by the impacted NHS organizations, as required by UK information safety regulation.
“We’ve now begun notifying the organisations whose information was affected and anticipate to conclude this course of by 21 November 2025. This marks the newest stage of investigation that has taken a big staff of forensic specialists and information specialists over a yr to finish,” Synnovis stated in a Monday press launch.
“The stolen information was unstructured, incomplete and fragmented, requiring using extremely specialised platforms and bespoke processes to piece it collectively – elements which closely influenced the length of the investigation.”
The stolen information contains private data, such because the affected sufferers’ NHS numbers, names, dates of start, and, in some instances, check outcomes that could possibly be matched to a person. Nonetheless, Synnovis says the vast majority of the stolen data requires “scientific data or additional enrichment to interpret.”
Breach linked to the Qilin ransomware gang
On June 3, 2024, Synnovis was hit by a ransomware assault with “main affect” on procedures and operations at a number of main NHS hospitals in London, together with King’s Faculty Hospital, Man’s Hospital, St Thomas’ Hospital, Royal Brompton Hospital, and Evelina London Kids’s Hospital.
Non-emergency pathology appointments and blood transfusions on the impacted London hospitals have been both canceled, postponed, or redirected to different suppliers. The incident additionally led to blood shortages in London and compelled affected hospitals to cancel over “800 deliberate operations and 700 outpatient appointments.”
On June 20, 2024, the attackers launched information allegedly stolen from Synnovis’ system, prompting the corporate to inform the Data Commissioner’s Workplace and safe a authorized injunction towards additional use.
Whereas Synnovis has but to call the menace group behind final yr’s ransomware assault, the incident was linked to the Qilin ransomware operation by Ciaran Martin, the founder and first CEO of the Nationwide Cyber Safety Centre (NCSC).
On a devoted website, the corporate confirmed that it did not pay a ransom following the incident, following a joint resolution with its NHS Belief companions that “displays our dedication to moral ideas and the rejection of funding future cybercriminal actions that threaten crucial infrastructure, affected person privateness, and nationwide security.”
Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation underneath the “Agenda” identify and has since claimed accountability for greater than 300 victims on its darkish net leak website, together with automotive large Yangfeng and publishing large Lee Enterprises.
A Synnovis spokesperson was unable to supply an announcement when BleepingComputer reached out earlier immediately with a request for extra particulars.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and information, security groups are shifting quick to maintain these new companies secure.
This free cheat sheet outlines 7 greatest practices you can begin utilizing immediately.
