Synnovis June 2024 Cyber Incident Updates

On 03 June 2024, Synnovis was the victim of a cyberattack that affected all Synnovis IT systems and disrupted many of our pathology services.

Our forensic investigation into the attack was concluded by the end of Summer 2025 and the process of notifying those organisations whose data was affected was completed by the end of November 2025.

Under UK data protection law, it is the responsibility of each of those organisations to assess the stolen data that relates to them and determine if any impacted patients should be notified. The timeline for any onward notifications is up to the affected organisation and is likely to be different for each organisation. 

On 3 June 2024, Synnovis, a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospitals NHS Trust and SYNLAB, was the victim of a ransomware cyberattack.

Impact on services

This calculated attack on critical UK healthcare infrastructure impacted almost all Synnovis IT systems and resulted in interruptions to many of our pathology services. We immediately started an investigation alongside a taskforce of IT experts from Synnovis, our Trust partners, NHSE and third party specialists to understand what happened and to rebuild as quickly as possible to continue serving patients. As part of our incident response, we also contacted the National Crime Agency (NCA), the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).

In the following months, every available Synnovis resource was dedicated to restoring services and rebuilding systems. By late Autumn 2024, access to all services that were available prior to the cyber attack was restored. None of the IT infrastructure that was impacted by the attack remains.

We regret the disruption, concern and upset to patients, our own employees, frontline NHS colleagues and other service users as a result of this criminal cyberattack. Every effort was made to support clinicians, GPs and patients and end the disruption caused as quickly as possible during this time.

Stolen data

During the incident, data was stolen in haste and in a random manner from Synnovis’ working drives. No data was taken from our primary lab databases.

On 20 June 2024, the criminals behind the attack published the stolen data. Synnovis took urgent steps to limit the impact, including obtaining an injunction to protect patients, colleagues and service users by preventing further publication of the data.

We also immediately engaged a team of cyber security specialists to identify any organisations and individuals the stolen data may relate to. This investigation has taken more than a year to complete because of its exceptional scale and complexity. Multiple specialised platforms and bespoke processes had to be developed to reconstruct the data.

We have been in regular communication with the ICO since the attack and worked closely with relevant law enforcement agencies including the NCA in the immediate aftermath of the incident.

Current status

Updated March 2026:

Upon conclusion of the forensic investigation, Synnovis was able to notify those organisations whose data was affected, a process that was completed by the end of November 2025.

UK data protection laws state that in the event of a data breach, it is the Data Controller, i.e. the healthcare provider, who is responsible for the data and so must be the one notifying any impacted patients. The timeline for any onward notifications is up to the affected organisation and is likely to be different for each organisation.

Synnovis will not be contacting any impacted patients directly.