The Qilin ransomware group launched an attack on June 3, 2024, and encrypted files on its system. Before encrypting the files in the victim’s network, the attacker exfiltrated data. The ransomware attack prompted substantial trouble to Synnovis’ business operations, disrupting a lot of its pathology services. Synnovis mentioned that the ransomware attack affected almost all of its IT systems.
NHS trusts that depended on Synnovis’ blood testing and other laboratory services were compelled to call off appointments. The insufficient blood testing resulted in a scarcity of O-negative blood. The scarcity carried on for months, with inventories used up throughout the nation. Many of the patient services were disrupted, with over 10,000 visits canceled after the attack.
Synnovis quickly started an investigation and put together a team of specialists from Synnovis, the impacted NHS Trusts, NHS England, and third-party experts to re-establish systems and records as soon as possible. Synnovis notified the National Cyber Security Centre (NCSC), the UK’s National Crime Agency (NCA), and the Information Commissioner’s Office (ICO) and worked directly with the agencies during the recovery process.
By the end of autumn 2024, all of the impacted IT infrastructure had been replaced. Systems and services returned to pre-attack working levels. In the fourth month after the attack, a new blood transfusion system had been rebuilt. In the fifth month, many of the core systems had been migrated to the cloud. In November 2024, over 75 programs had been rebuilt and reconnected the pathology system to seven locations, including more than 65 scientific analyzers and over 120 individual connections.
Identifying which companies and individuals were affected and the type of data compromised took longer time. Synnovis mentioned that the ransomware group extracted files in a rush and random manner. Because of the enormity of the task and complicated data analysis, the work was finished in over a year. That process needed bespoke systems and newly designed procedures to restore the impacted data.
Synnovis stated the forensic analysis affirmed that no information was extracted from its primary laboratory databases. The stolen data was not the type that can be quickly used by anybody with ill intentions. In spite of a comprehensive forensic investigation, it was impossible to ascertain how the ransomware group acquired network access. All IT infrastructure affected by the cyberattack was totally replaced.
Synnovis stated that it conferred with the affected NHS trust partners, and they decided not to pay the ransom, as paying the ransom is against its ethical standards. Also, the attacker would only use the ransom to finance more attacks on critical infrastructure entities, possibly endangering national security. Synnovis did not disclose the amount of the ransom demand.
Synnovis has lately finished the data analysis and repair, and the impacted organizations are currently being informed. Mailing of notifications will be finished on November 21, 2025. Afterward, the impacted companies will make a decision whether notifications must be sent to the impacted patients covered by UK data protection laws. Synnovis stated that the company won’t contact affected patients directly. UK data protection laws (similar to HIPAA) require the data controller to perform their own legal and risk evaluations to find out if notifications are necessary. Any person getting information regarding the data breach that claims to have come from Synnovis instead of one of the impacted organizations ought to think it is a scam.
The incident shows that ransomware attacks have a big impact on critical infrastructure. In this instance, this was a planned attack intended to cause so many problems and disruptions for monetary gain.