Home
Our Services
Free resources
- Privacy Research
  Free to use data privacy research
  Key Capabilities
  Latest privacy news tracking
  Product versions
  Latest privacy news tracking
  Track the latest news, breaches and fines
  Key features
  Tracks the latest breaches and fines
  View by industry
  View by breach method
  View by privacy topic
  Links to original articles
  Free to use
  
  Learn more »
  Latest Threat Intelligence
  Product versions
  Latest Threat Intelligence
  Track the Common Vulnerability Exposures (CVEs)
  Key features
  Tracks the latest vulnerabilities
  View by company
  View by breach method
  Links to NVD
  Free to use
  
  Learn more »
  Breach modelling and ROI calculator
  Product versions
  Breach modelling and ROI calculator
  Model what a breach would look like for you in your industry and use this to calculate your return on investment
  Key features
  Model your breach
  Assess the severity
  Compare by industry
  Breakdown costs
  Export to your business plan
  Free to use
  
  Learn more »
Privacy news
Company
- About Us
- FAQ
- Contact Us

Patients left in the dark months after cybercriminals leak testing lab data The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp More than 11 months after a ransomware group published information from a UK pathology services company the affected patients still have not been informed about what data of theirs was exposed in the incident with material about sexually transmitted infections and cancer cases being included in the leaks pp The data was compromised during an attack by the Qilin cybercrime group against Londonbased Synnovis last June The attack severely disrupted care at a large number of National Health Service NHS hospitals and care providers in London pp Synnovis maintains an information page about the incident but it still has not provided an estimate of the number of patients impacted nor a detailed list of what data was published by the criminals The page confirms that some patient information was compromised and says In some circumstances this information may contain personal data such as names NHS numbers and test codes identifying the requested test although analysis is ongoing pp Contacted again this week the company described the process as significantly advanced but still ongoing pp An analysis of the data by data breach specialists CaseMatrix suggests more than 900000 individuals were impacted with the published material including names dates of birth NHS numbers and in some cases personal contact details But the most sensitive information CaseMatrix identified included pathology and histology forms used to share patient details between medical departments and institutions These forms often describe symptoms of intimate and private medical conditions including cancer and STIs pp Immediately following the attack Synnovis had to focus on recovering its critical blood testing services The impact of the cyberattack severely reduced blood stocks across the United Kingdom as medical professionals were forced to use universal donor types because of limitations on blood matching leaving several hospitals on the brink of limiting transfusions to only the most critical patients pp Three months after the incident when Synnovis announced having successfully rebuilt the majority of its core IT systems and recovered its diagnostic services individuals whose data was compromised in the attack had still not been provided with even a preliminary warning about the sensitivity of what was exposed pp At the time Synnovis said it had initiated an eDiscovery process shortly after the cyberattack to interrogate the data that was stolen and to identify any organisations and individuals it may relate to and last September described the process as advanced pp Synnovis stated We will notify any relevant organisations directly should this process determine that data associated with their organisation was impacted pp A spokesperson for two NHS Trusts that used Synnovis Guys Hospital and St Thomas and Kings College Hospital told Recorded Future News they were awaiting the outcome of Synnovis eDiscovery process to be notified about what data had been affected pp A spokesperson for NHS England redirected Recorded Future News to Synnovis pp According to guidance from the Information Commissioners Office ICO Britains privacy laws recognise that data breaches cannot always be fully investigated within a short time period but there remains a legal requirement for organisations to inform data subjects about the compromise of sensitive details pp A relevant example published by the ICO states A hospital suffers a breach that results in accidental disclosure of patient records There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others This is likely to result in a high risk to their rights and freedoms so they would need to be informed about the breach pp A spokesperson for Synnovis stated We understand and share the eagerness for this investigation to conclude It is nearing completion which is significant progress and allows us to now finalise the processes and mechanisms required to update any affected organisations and individuals as appropriate ppAlexander Martinppis the UK Editor for Recorded Future News He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research InitiativeppPrivacyppAboutppContact Uspp Copyright 2025 The Record from Recorded Future Newsp

Read the original article 13 May 2025

Key Capabilities

Latest privacy news tracking

Latest Threat Intelligence

Breach modelling and ROI calculator

Patients left in the dark months after cybercriminals leak testing lab data The Record from Recorded Future News