Information for Data Controllers

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospitals NHS Trust and SYNLAB. We process blood and other tests on behalf of organisations across the UK and internationally.

The notification letter will provide detailed information about the incident, the investigation and, at a high level, the nature of the data impacted in relation to each organisation. It will also lay out the next steps for affected organisations.

The compromised data was not in an organised, searchable format; it was unstructured, incomplete and fragmented, and often very difficult to decipher. Multiple highly specialised platforms and bespoke processes were needed to reconstruct the data. Each data point had to be analysed and linked together in an attempt to identify each impacted patient and to determine the Controller organisation for that patient’s personal data.

Synnovis conducted an extensive Controller mapping process using client codes, ODS codes or SAP codes where these were present in the data. Where these codes were not available, efforts were made to manually map to Controllers using file names, folder locations and other reference data.

The compromised data was largely fragmented, incomplete and often very difficult to decipher. Given its poor quality, Synnovis needed an identifiability approach to determine whether each data point could be linked to individual patients.

Synnovis was able to link some data to individual patients due to the presence of either an NHS number, or a combination of other patient identifiers within the compromised dataset. The majority of data was of poor quality, which Synnovis was not able to conclusively link to individual patients. Impacted organisations may be able to ‘enrich’ this data to identify individual patients using additional data it may hold, but which is outside the scope of the compromised data.

An enormous amount of time was spent manually reviewing, cleansing and quality assuring the data, to maximise the amount that could be linked to individual patients.

The published data was stolen in haste from a working drive, in a random and untargeted manner. No data was taken from our primary lab database.

Some of the stolen data did include elements of personal data such as an NHS number, name or date of birth. A very small amount of the stolen data included test results that we could match to an individual. This data appeared in a variety of formats including simple test results, test codes, numerical results, reference ranges, narrative information or a range of these. The majority of test results would require clinical knowledge or further enrichment to interpret e.g. numerical and reference to ranges rather than positive or negative.

The National Cyber Security Centre (NCSC) provides useful advice on steps an individual can take following a data breach: https://www.ncsc.gov.uk/guidance/data-breaches.

Useful NHSE website pages include:

• Incident page: https://www.england.nhs.uk/synnovis-cyber-incident/
• FAQs: https://www.england.nhs.uk/synnovis-cyber-incident/questions-and-answers/

We fully understand that those affected may be concerned. Please be assured that there is no evidence that the cybercriminal’s interest in Synnovis or the data is ongoing. Nor is there any evidence of misuse of the stolen data against any individual in over 12 months.

Furthermore, as a result of the injunction Synnovis secured in July 2024, we were able to take legal action against those who may have attempted to misuse or disseminate the stolen data, including ordering the removal of the stolen data from locations where it was shared at the time. We will not hesitate to further rely upon the injunction as necessary.

As the Controller, we encourage you to undertake independent legal analysis to determine whether your organisation has an obligation to make a relevant notification, taking advice as deemed necessary.

Following your review of data requested on behalf of your organisation, if you determine that a notification is required to be made, Synnovis has prepared materials to support you.

Further instruction and information has been provided in your notification letter.

No. Under data protection law, it is the responsibility of the Controller of this data to determine if and how any individuals are to be notified. Each impacted organisation is responsible for conducting their own legal and risk assessments which will determine any requirement to notify individuals.

Synnovis has provided details in the Notification Letters sent to the individuals responsible for data protection at each impacted organisation. This includes guidance on next steps and how to request notification templates if required.

Synnovis has been in regular communication with the ICO since the attack and has worked closely with relevant law enforcement agencies including the NCA during the incident and its aftermath. We encourage you to conduct your own legal analysis based on your impacted data to determine any regulatory reporting obligations you may have.

Impacted NHS entities are also advised to refer to the NHSE Data Security and Protection Toolkit (DSPT).

No. Under data protection law, it is the responsibility of the Controller of this data to determine if and how the ICO (or the equivalent regulator in your country if applicable) is to be notified. Each impacted organisation is responsible for conducting their own legal and risk assessments which will determine any requirement to notify relevant regulators.

This process has taken some time given the exceptional scale and complexity of the forensic interrogation and the need for absolute accuracy. We appreciate how unsettling and concerning this situation has been for you and sincerely apologise for the length of time this process has taken. Please be assured that the data involved has never been available in a form that could easily be used by anyone with ill-intent.

Extensive forensic investigation conducted by cyber security experts was not able to determine the way these attackers entered the Synnovis network. None of the IT infrastructure that was impacted by the attack remains.

No, we did not pay a ransom to these cybercriminals. This decision, made in collaboration with our NHS Trust partners, reflects our commitment to ethical principles and the rejection of funding future cybercriminal activities that threaten critical infrastructure, patient privacy, and national security.

Paying a ransom was never an option for us, and we will not fuel further discussion on this.

None of the IT infrastructure that was impacted by the attack remains.

By month four immediately after the cyberattack, we had rebuilt a new blood transfusion platform, by month five we had completed a substantial cloud migration of our core systems, and by November 2024 we had rebuilt over 75 applications and reconnected a vast pathology estate spanning seven locations from the ground up, including over 65 scientific analysers and more than 120 individual connections.

In addition, we took several steps to further secure our IT infrastructure. Following established cyber security practice, we do not comment on the specifics of our IT systems or our security protocol, however we can confirm these steps included, but are not limited to:

• Implementing a cloud infrastructure environment, using CIS benchmark standards;
• Reviewing all policies and process with industry experts, aligning to recognised standards.

We have invested heavily in ensuring our IT arrangements are as safe as they possibly can be, and will continue to do so.

Update as of December 2025: Synnovis has achieved Cyber Essentials Plus (CE+) Accreditation following an independent Audit. CE+ is the highest level of certification for cyber security currently recommended by the UK government. This outcome is testament to the work undertaken as part of Synnovis’ recovery from the 2024 cyber incident.

Yes. Please refer to the instructions provided in your notification letter.