Date of Attack: June 3, 2024
Sector: UK Public Healthcare
Threat Actor: Qilin Ransomware Group
Executive Summary
On June 3, 2024, Synnovis, a pathology services provider for several London NHS Trusts, was the target of a ransomware attack attributed to the Qilin group. The incident caused widespread service disruptions across NHS pathology services in South London, affecting hospitals including Guy’s and St Thomas’ and King’s College Hospital.
Approximately 400GB of internal and patient-related data is believed to have been exfiltrated. The attack led to postponed surgeries, delayed diagnostics, and increased pressure on manual pathology processes. The event is one of the most disruptive cyberattacks on the UK’s healthcare infrastructure since the 2017 WannaCry outbreak.
Background
Synnovis is a joint venture between SYNLAB UK & Ireland, Guy’s and St Thomas’ NHS Foundation Trust, and King’s College Hospital NHS Foundation Trust. It operates pathology laboratories and supports diagnostic testing across South East London.
The organization plays a critical role in enabling routine and urgent medical diagnostics through its Laboratory Information Management Systems (LIMS) and integrated IT infrastructure.
Timeline of Events
| Time (BST) | Description |
|---|---|
| June 3, early morning | NHS Trusts report IT disruptions related to pathology services |
| June 3, 09:00 | Synnovis confirms IT system compromise; systems taken offline |
| June 3, evening | NHS England escalates incident to national cybersecurity response |
| June 5 | Public acknowledgement of ransomware attack by Synnovis |
| June 20 | Qilin group publishes 400GB of stolen data on dark web leak site |
Technical Details
Attack Vector (suspected):
- Likely phishing or credential compromise
- Possible exploitation of unpatched legacy systems
- Initial access method not publicly confirmed
Threat Actor:
- Qilin ransomware group, a financially motivated actor active since 2022
- Known for double extortion tactics (encryption + data theft)
- Operates a data leak site where exfiltrated files are published
Malware Behavior:
- File encryption across internal systems
- Lateral movement observed before containment
- Use of PowerShell-based deployment scripts
Affected Systems and Services
| System | Description | Status |
|---|---|---|
| Laboratory Information Management System (LIMS) | Core platform for pathology workflow | Offline |
| Electronic Test Ordering | Interface for clinicians to request diagnostics | Offline |
| Blood Test Booking & Results Delivery | Automated service for outpatient diagnostics | Degraded |
| Internal Document Repositories | Operational files and sensitive records | Compromised |
| API Integrations with NHS Systems | Test result transmission and reporting | Disabled |
Backups and recovery operations are ongoing. There is no confirmed ransomware decryption as of this review.
Data Exposure
The Qilin group claimed to have stolen roughly 400GB of data. Sample files published on their leak site include:
- Internal HR and payroll documents
- Diagnostic test results
- Patient identifiers and lab codes
- Staff emails and operational schedules
- System credentials and IT documentation
This likely constitutes a significant breach under the UK General Data Protection Regulation (UK GDPR), and the Information Commissioner’s Office (ICO) has been notified.
Impact Assessment
- Over 1,600 elective surgeries delayed or rescheduled
- Disruption to outpatient services and diagnostics
- Manual processes increased turnaround time significantly
- Reputational and operational damage to Synnovis and associated NHS Trusts
- Potential risk of fraud or identity misuse from leaked data
Healthcare operations remain affected weeks later, with full restoration still in progress.
Response and Recovery
- Synnovis isolated affected systems and brought in external forensics
- NHS Digital and the National Cyber Security Centre (NCSC) are coordinating national-level response
- Affected NHS Trusts implemented contingency workflows, including paper-based diagnostics
- Incident response teams are reviewing access logs and threat actor TTPs
- Patients are being contacted in priority order to minimize clinical risk
Lessons Learned
1. Supply Chain Risk Must Be Proactively Managed
Critical infrastructure should not rely on third parties without proper security assessments, segmentation, and oversight.
2. Legacy System Exposure Remains a Core Risk
Older systems used in pathology environments may lack modern security features and should be isolated, monitored, or replaced.
3. Incident Response Drills for Healthcare
Healthcare providers must frequently test ransomware-specific scenarios, with updated playbooks and role-based communications plans.
4. Data Governance and Encryption at Rest
Stolen documents included unencrypted sensitive data. Encryption at rest and better access controls are essential for limiting exposure.
Recommendations
- Conduct third-party vendor assessments with a focus on healthcare-critical services
- Enforce multi-factor authentication (MFA) across all administrative accounts and external access points
- Review and audit all systems that store or process personal health information (PHI)
- Ensure offline backups are regularly tested and physically separated from production systems
- Develop a ransomware response plan specific to clinical workflows and patient safety
Final Note
The Synnovis ransomware incident reflects the growing trend of threat actors targeting healthcare partners, where operational disruption has high stakes. This event should serve as a wake-up call for both public health agencies and their contractors to prioritize cyber resilience as a clinical safety issue.
If you would like this content packaged for publication or expanded into a downloadable brief (PDF or HTML), I’d be happy to format it for your blog audience.
About the Author
