Information for Patients

Synnovis provides pathology services including blood, urine and specimen testing to a number of healthcare organisations, including the NHS. Based in south east London, we are co-owned by Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospital NHS Foundation Trust and SYNLAB.

Synnovis provides pathology services including blood, urine and specimen testing to a number of healthcare organisations, including the NHS. Based in south east London, we are co-owned by Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospital NHS Foundation Trust and SYNLAB.

We process data on behalf of a number of healthcare organisation who share information with us so we can deliver our pathology services. We will contact all organisations whose data was impacted in this incident by 21 November 2025. It is then the responsibility of these organisations to assess the data that relates to them and determine if any impacted patients should be notified.

The timeline for notification is up to the affected organisation, and is likely to be different for each organisation based on the amount and type of data, and number of individuals involved. If the organisation decides that they need to notify individuals, this may be via a personal letter or through a general communication on their website.

You should always be alert to approaches from anyone claiming to have your data and to any other suspicious calls or emails, particularly if you are asked to provide personal or financial data. Please be aware that under UK data protection law, Synnovis will not be contacting patients directly.

• If you are contacted by someone who claims they have your data or to be from Synnovis please contact Action Fraud, who are the UK’s national reporting centre for fraud and cybercrime. They can be contacted on 0300 123 2040.
• Send suspicious emails to report@phishing.gov.uk or texts to 7726.
• The National Cyber Security Centre (NCSC) has cyber security guidance to help protect individuals and families on data breaches, and guidance on how to spot and report ‘Phishing’, which is when criminals use scam emails, text messages or phone calls to trick their victims into providing further information.

We fully understand that you may be concerned. We have taken additional steps to reduce any risk for patients.

Please be assured that there is no evidence that the cybercriminal’s interest in Synnovis or the stolen data is ongoing. There has not been any evidence of the compromised data being misused against any individual in over 12 months.

Furthermore, in July 2024 we applied for a legal injunction, which is a court order that prevents people or groups from misusing or spreading the stolen data. This means any information stolen in the cyber-attack cannot legally be published. The fragmented and complex nature of the stolen data means significant specialist time and effort is required to access it, which is a strong deterrent to anybody with ill-intent. 

However, sometimes opportunists can try to take advantage of such incidents, using approaches such as ‘Phishing’, which is when criminals use scam emails, text messages or phone calls to trick their victims into providing further information. The National Cyber Security Centre (NCSC) has guidance on how to spot and report these.

Please contact Action Fraud who are the UK’s national reporting centre for fraud and cybercrime. They can be contacted on 0300 123 2040.

Please be aware that under UK data protection law, Synnovis will not be contacting patients directly.

The published data was stolen in haste from a working drive, in a random and untargeted manner. No data was taken from our primary lab database.

Some of the stolen data did include elements of personal data such as an NHS number, name or date of birth. A very small amount of the stolen data included test results that we could match to an individual. This data appeared in a variety of formats including simple test results, test codes, numerical results, reference ranges, narrative information or a range of these. The majority of test results would require clinical knowledge or further enrichment to interpret e.g. numerical and reference to ranges rather than positive or negative.

We provide pathology services to healthcare providers. This means that while conducting and providing the results of a pathology test, we may have processed some information about you as provided by the organisation who requested the test on your behalf.

For example, if a patient has a blood test, their healthcare provider shares the patient’s details with us so we can process and track the test.

Shortly after the incident occurred, the criminals responsible for this cyber-attack published some of the stolen data online. We took urgent steps to limit the impact of this, including obtaining a legal injunction to prevent people from using or further publishing the data.

You should always be alert to approaches from anyone claiming to have your data and to any other suspicious calls or emails, particularly if you are asked to provide personal or financial data.

If you are contacted by someone who claims they have your data please contact Action Fraud who are the UK’s national reporting centre for fraud and cybercrime. They can be contacted on 0300 123 2040.

Send suspicious emails to report@phishing.gov.uk or texts to 7726.

The National Cyber Security Centre (NCSC) has further guidance for individuals and families on data breaches.

Please be aware that under UK data protection law, Synnovis will not be contacting patients directly.

The National Cyber Security Centre (NCSC) provides useful advice on steps an individual can take following a data breach: https://www.ncsc.gov.uk/guidance/data-breaches.

Following the incident, we began a long and complex investigation to understand what data had been stolen from our systems, and which organisations and individuals it belonged to. This investigation has taken more than a year to complete because the compromised data was unstructured, incomplete and fragmented, and often very difficult to understand. We appointed cyber security experts who had to use highly specialised platforms and bespoke processes to piece it together.

It may take some time for healthcare providers to notify impacted patients. We recommend checking the website of your healthcare provider(s) for any relevant updates.

UK data protection laws state that in the event of a data breach, it is the Data Controller, i.e. the healthcare provider, who is responsible for the data and so must be the one notifying any impacted patients.

We act as a Data Processor under UK data protection law. This means other organisations share information with us so we can deliver our pathology services. For example, if a patient has a blood test, their healthcare provider shares the patient’s details with us so we can process and track the test.

We notified all impacted organisations by the end of November 2025 to inform them data we processed on their behalf was impacted in this incident. The Controllers at those organisations will have to assess the information provided to them to decide whether they need to notify affected patients under UK data protection laws.

No, we did not pay a ransom to these cybercriminals. This decision, made in collaboration with our NHS Trust partners, reflects our commitment to ethical principles and the rejection of funding future cybercriminal activities that threaten critical infrastructure, patient privacy, and national security.