NHS cyber incident · Patient data · Public trust
The ransomware attack on Synnovis exposed a hard truth about modern healthcare: patient safety, public trust and data protection now depend on the resilience of digital systems as much as on clinical skill. When pathology systems fail, the harm is not limited to privacy. Appointments are delayed, services are disrupted, patients are left uncertain, and the public is asked to trust processes it cannot see.
Publication snapshot
- The article examines the Synnovis ransomware incident as a healthcare-cybersecurity and public-confidence case study.
- The central issue is not only whether personal data was stolen, but whether clinical services, breach communication and system recovery were resilient enough.
- Data-security obligations require appropriate technical and organisational measures, including resilience, restoration and testing.
- The practical lesson is a four-part accountability test: what happened, who was affected, what was done, and what changes followed.
The core point: healthcare cyberattacks are patient-safety events
The Synnovis ransomware incident was not just an information-technology story. Synnovis provides pathology services to NHS organisations, and the reported disruption affected blood testing, transfusion-related work, hospital operations, GP services and patient communication.
That matters because healthcare data is operational as well as personal. It is used to diagnose, treat, schedule, prioritise and reassure. When attackers encrypt systems, threaten publication or remove access to critical pathology infrastructure, the risk moves beyond confidentiality into continuity of care.
The public-confidence question is therefore wider than “was data leaked?”. It is whether the NHS, its suppliers and regulators can show that systems are secure, recoverable, accountable and capable of communicating clearly with affected patients.
The incident: ransomware, pathology systems and reported data publication
On 3 June 2024, Synnovis was reported to have suffered a ransomware attack affecting pathology services used by major London NHS trusts and GP services. Public reporting identified the Qilin ransomware group as the group believed or reported to be responsible.
The attack was reported to have disrupted Synnovis systems and affected NHS services that depended on pathology results. Later reporting stated that files claimed to have been stolen from Synnovis were published online, with several reports describing the published material as close to 400GB. The contents and full implications were matters for investigation.
System compromise
Ransomware is reported to have affected Synnovis systems supporting pathology services.
Service disruption
Hospitals and GP services experienced disruption because pathology workflows were impaired.
Data-publication concern
Files claimed to have been stolen were reportedly published, triggering patient-data and fraud-risk concerns.
Public response
Patients needed clear information about appointments, urgent care, data risk and support routes.
Patient data risk: why this breach was so sensitive
The reported data categories included names, dates of birth, NHS numbers and descriptions of blood tests. Some reporting also referred to business or financial spreadsheets connected to NHS service arrangements. Public reports differed on the level of certainty about test results and the full content of the published files.
For publication, the safe point is this: healthcare data is special because it can be intimate, identifying and operationally important. Even where the full contents are still being verified, the possibility that patient identifiers and test-related descriptions were exposed creates a serious privacy and fraud-risk concern.
Names, dates of birth and NHS numbers
Identifiers can assist impersonation, phishing and targeted scams, especially where attackers combine them with other information.
Test descriptions and clinical context
Even without full results, descriptions of tests may reveal sensitive information about care, diagnosis or treatment pathways.
Uncertainty for patients
Patients may not know whether their data is included, whether it has been accessed, or what practical steps they should take.
Supplier accountability
Where outsourced or joint systems are used, patients need clarity about which organisation is responsible for security and communication.
Service impact: disruption is part of the harm
The immediate public focus was understandably on stolen data. But in healthcare, the loss of system availability can be just as serious. Blood testing and pathology services support operations, emergency care, cancer pathways, transplant work, GP decision-making and routine monitoring.
Public reporting described thousands of postponed appointments and procedures. The exact numbers changed as the incident developed. The broader point is that a ransomware incident affecting clinical infrastructure can produce practical harm even before the long-term privacy consequences are fully understood.
The service-continuity question
A healthcare cyber incident should be judged by operational resilience as well as data loss.
Which services became unavailable or manual?
Which patient pathways were delayed?
What workarounds were used?
How were urgent cases protected?
What changed after recovery?
Data security duties: confidentiality, integrity and availability
The UK GDPR security principle is not limited to keeping information secret. It concerns appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
For healthcare systems, that duty has practical force. Organisations need measures that protect confidentiality, integrity and availability; they also need the ability to restore access to personal data in a timely way after a physical or technical incident.
That does not mean a ransomware attack automatically proves legal failure. It means a root-cause analysis is essential: what risks were known, what controls existed, what failed, what was tested, and whether the technical and organisational measures were appropriate to the sensitivity and operational importance of the data.
Confidentiality
Was access limited to authorised people and protected against unlawful disclosure?
Integrity
Could data remain accurate, complete and protected against unauthorised alteration?
Availability
Could critical systems and personal data be restored in time to protect patients and services?
Accountability
Could the organisations demonstrate risk assessment, testing, controls and lessons learned?
Breach response: communicate early, update clearly
The ICO’s breach-reporting guidance recognises that complex incidents may not be fully understood immediately. But it also emphasises the need to report early, update later, and provide accurate information as soon as possible.
For patients, the practical need is simple. They need to know whether appointments continue, whether urgent care remains available, whether their data may be affected, what support route exists, and what suspicious contacts should be treated as potential scams.
Contain and stabilise
Protect urgent clinical services, isolate affected systems and preserve evidence for technical investigation.
Report and coordinate
Notify appropriate regulators, cyber authorities, law enforcement and affected partners where required.
Inform affected people
Where risk is high, individuals should receive clear information without undue delay.
Learn and publish
After recovery, the public-confidence issue is what changed to reduce recurrence and improve resilience.
The resilience test: what the public should expect next
Cybersecurity cannot be judged only by whether an organisation was attacked. Large public-service systems will be targeted. The stronger question is whether the organisation was prepared, whether controls were proportionate, whether recovery plans worked, and whether patients received clear communication.
Healthcare organisations and suppliers should treat the Synnovis incident as a resilience test. That means looking beyond passwords and firewalls into contracts, supplier oversight, backups, manual fallback, incident command, patient communications, procurement, clinical prioritisation and board-level accountability.
Supplier assurance
Contracts should make cybersecurity, incident reporting, audit rights and recovery duties visible before an incident occurs.
Clinical continuity planning
Healthcare providers should know which services fail when digital pathology systems fail, and what manual workarounds are safe.
Data-minimisation discipline
Large stores of identifiable data should be tested against necessity, access controls, segmentation, retention and exposure risk.
Patient communication
Patients should receive practical information about care continuity, data risk, helplines and fraud protection.
Public learning
After recovery, public bodies should explain lessons learned without exposing sensitive security information.
Source anchors
These anchors support the incident background, ransomware framework, data-security duties and breach-response route. They do not determine legal liability or regulatory breach by Synnovis, NHS England, any trust, supplier or public body.
- Financial Times: NHS England probes data leak after cyber attack on Synnovis — reporting on the attack, reported 400GB data publication and service disruption.
- Associated Press: Russian cyber gang thought to be behind London hospital attack — reporting on Qilin attribution and hospital disruption.
- NCSC: What you need to know about ransomware — official guidance on ransomware, data theft, ransom demands and response/recovery.
- ICO: A guide to data security — official guidance on the UK GDPR security principle and appropriate technical and organisational measures.
- ICO: UK GDPR data breach reporting — official guidance on breach reporting, affected individuals, ICO notification and NCSC/law-enforcement routes.
- Report Fraud — public route for reporting fraud and cyber crime in England, Wales and Northern Ireland.
Closing point
The Synnovis ransomware incident shows why cyber resilience is now part of healthcare accountability. Patient data must be protected, but so must the systems that make modern care possible.
The public should not be asked to accept vague reassurance. They need clear explanations: what happened, what data may be affected, what services were disrupted, what support is available, who is accountable, and what will change.
The Legal Lens point is simple: in healthcare, data security is not a back-office function. It is part of patient safety, public trust and the rule of law.
Data breach, healthcare disruption and complaint route
Get a free written assessment before escalating a data-breach concern
Legal Lens can help turn a confusing data-breach or cyber-incident concern into a structured issue map. The assessment can separate data-risk questions, service-impact issues, complaint routes, evidence gaps, SAR options, ICO escalation and practical next steps.
Build a timeline from incident notices, appointment disruption, helpline contact and breach communications.
Identify whether the concern is personal data, health data, clinical disruption, identity risk or poor communication.
Separate supplier complaint, NHS complaint, SAR request, ICO complaint, fraud reporting or legal advice.
Independent Legal Lens consultancy. Legal Lens is not a regulated solicitors’ firm, NHS complaints body, data-protection consultancy, cybersecurity provider or crisis service. A preliminary assessment is not a substitute for regulated legal advice, specialist data-protection advice, urgent healthcare advice, fraud-response advice, cybersecurity support or representation where that is needed.

