Synnovis provides pathology services, including blood, urine and specimen testing to a number of healthcare organisations, including the NHS. Based in south-east London, Synnovis is co-owned by Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospital NHS Foundation Trust and SYNLAB.

On 3 June 2024, Synnovis was the victim of a ransomware cyber-attack, which disrupted Synnovis’ services across the UK and significantly reduced its capacity to process tests. The impact was greatest in south-east London, within Synnovis’ partner trusts and their local boroughs. While appointment cancellations were confined to south-east London, data stolen in the attack may potentially relate to any of Synnovis’ service users, including NHS organisations across England.

Synnovis immediately brought in professional specialist support to help manage the incident and dedicated all available resources to restoring services and rebuilding IT infrastructure. This took some time, but services were fully restored by December 2024.

On 20 June 2024, the criminals responsible for the cyber-attack published data files they had stolen in the attack.  Urgent steps were taken by Synnovis, working with the National Cyber Security Centre, law enforcement agencies and the NHS to minimise the risks to individuals and their data. Synnovis also obtained a legal injunction to prevent people from using or further publishing the data. Synnovis reported the incident to the Information Commissioner’s Office and has been in regular contact with them ever since.

Since then, Synnovis has had to undertake a complex investigation to understand what data had been stolen, and which organisations and individuals it related to. The investigation has taken more than a year to complete because the stolen data was unstructured, incomplete and fragmented. It took a long time to piece it together and work out which organisations and patients the data related to. This part of the investigation is now complete.

Synnovis is now in the process of contacting their impacted customers. Organisations that are impacted include some NHS hospitals, GP practices and clinics.

Synnovis will not be contacting patients directly. If patients are notified, the notification will be from an NHS organisation.

All Synnovis services that were available prior to the attack were restored by December 2024.  This incident is no longer causing disruption to patient appointments or services.

Yes. Synnovis confirmed in June last year that the cyber criminals behind the attack had published data files that were stolen from their systems.

The stolen data included unstructured, incomplete and fragmented files from Synnovis’ administrative working drive. This working drive is separate to the database which supports laboratory operations and holds the majority of test requests and results.  Synnovis has confirmed there is no evidence the cyber criminals published this database.

Urgent steps were taken to limit the impact, including Synnovis obtaining a legal injunction to prevent people from using or further publishing the data.

Synnovis has advised NHS England that the stolen data published by the cyber criminal gang included information originating from Synnovis’ administrative working drive. The working drive supported the corporate and business support activities of Synnovis.

An initial analysis of the stolen data which was published identified some personal data such as names, NHS numbers and test codes which told Synnovis the nature of any test that has been requested.

According to Synnovis, not all of the stolen data relates to patients, and where it does, the type of data varies from person to person. For some patients it may include personal data such as an NHS number, name or date of birth. For others, it may include test results (positive or negative), or numerical codes or values (for example, blood sugar level). In many instances it would be difficult to make sense of the test result data because it was written for clinicians and requires medical knowledge to understand what it means.

It is entirely separate to the database which supports laboratory operations and holds the majority of test requests and results. Synnovis has confirmed there is no evidence the cyber criminals published this database.

Synnovis is now informing its customers whether any of their data was stolen as part of the attack. For those that are impacted, they will be provided with details of the data that was stolen.

Following this, each organisation will be assessing the data to understand the risks that arise from it being stolen. These include:

• Whether an individual can be identified from the data released
• Whether the data impacted includes patients’ contact details
• Whether the data includes clinical information

For some organisations this will involve a significant amount of data and for others a smaller amount. This means the assessment of the data will vary across organisations and may take some time.

Once each organisation has assessed their impacted data they may be required to notify the ICO and to contact patients. This could involve letters to individual patients, a statement on their website or other forms of communication. All NHS organisations will be following ICO guidance on how to contact patients.

Synnovis will not be contacting patients directly, as determined by UK data protection laws.

A list of the NHS organisations that have told NHS England that they have made local statements about the incident will be published on the NHS England website. This list will be regularly updated and will include links to the relevant local websites where further information can be obtained.

A list of the NHS organisations that have told NHS England that they have made local statements about the incident will be published on the NHS England website. This list will be regularly updated and will include links to the relevant local websites where further information can be obtained.

We understand people may be concerned about data being stolen. We will continue to publish regular updates on this website about the incident and include links to other NHS organisation websites where you can find out more information as it becomes available.

The National Cyber Security Centre has also published some guidance for individuals and families that tells you what you can do to protect yourself from the impact of data breaches – Data breaches: guidance for individuals and families

You should always be alert to approaches from anyone claiming to have your data. You should also be alert to any other suspicious calls or emails, particularly if you are asked to provide personal or financial data.

If you are contacted by someone who claims they have your data, please contact Action Fraud who are the UK’s national reporting centre for fraud and cybercrime or call 0300 123 2040.

Send suspicious emails to report@phishing.gov.uk or texts to 7726.

The National Cyber Security Centre (NCSC) has further guidance for individuals and families on data breaches.

Patients impacted by the Synnovis cyber-attack may be contacted by the NHS with information about how the incident has impacted them. This may be in the form of a letter or an email. You will never be asked for personal or financial information. We will provide more information about what you can expect when organisations contact those people who have been affected.

If you receive an unexpected or suspicious email or a communication by other means that claims to come from the NHS, you should double-check it is legitimate by contacting the organisation or department directly.

Don’t use an address or phone number from the message itself – use the details from the official organisation’s website, for example the NHS trust or GP practice where you’ve been receiving care.

Please contact Action Fraud who are the UK’s national reporting centre for fraud and cybercrime or call 0300 123 2040.

Synnovis will not be contacting patients directly about this incident, as determined by UK data protection laws. If you are contacted by someone claiming to be from Synnovis, please contact Action Fraud who are the UK’s national reporting centre for fraud and cybercrime or call 0300 123 2040.

Send suspicious emails to report@phishing.gov.uk or texts to 7726.

Cyber threats are now an ever-present aspect of modern-life. Incidents continue to impact a wide range of sectors across the world – affecting data from many aspects of our lives.

Across the NHS, we are committed to constantly learning and improving. We work closely with industry partners and the National Cyber Security Centre (NCSC) to manage risks and we monitor for new threats 24 hours a day, 7 days a week – providing real-time protection for over 2 million computers across the NHS network. We proactively inform local NHS organisations of cyber security threats through our high severity alert system – enabling them to prioritise the most critical vulnerabilities and remediate them as soon as possible. Our cyber team is made up of sophisticated analysts, threat-hunters and intelligence gatherers whose expertise helps to keep healthcare systems available.

Since the Synnovis incident in June 2024, we have continued to increase cyber resilience across the NHS and our ambitious Cyber Improvement Programme is supporting the NHS to respond to the ever-changing cyber threats, expand protection and reduce the risk of a successful attack.

This incident is no longer causing disruption to patient appointments or services.