Full Report
More than 18 months after a ransomware attack disrupted care at hospitals in South East London, internal documents show at least one NHS trust is still working without fully restored systems and managing large backlogs of delayed test results. The delays mean results may not be available when clinicians need them, increasing the risk they…
Analysis Summary
# Incident Report: Synnovis Ransomware Attack (Qilin Group)
## Executive Summary
In June 2024, the pathology service provider Synnovis was targeted by a major ransomware attack orchestrated by the Qilin group, severely disrupting healthcare services across South East London. The attack led to the theft of sensitive data belonging to nearly one million patients and caused long-term operational paralysis, with system restoration and test backlogs still being managed more than 18 months later. The incident resulted in cancelled surgeries, delayed treatments, and a critical depletion of blood supply stocks.
## Incident Details
- **Discovery Date:** June 2023 (Approximate onset of disruption)
- **Incident Date:** June 2024
- **Affected Organization:** Synnovis (Pathology provider for NHS Trusts)
- **Sector:** Healthcare / Critical Infrastructure
- **Geography:** South East London, United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** June 2024
- **Vector:** Not explicitly disclosed in the source, though typical for Qilin via compromised credentials or VPN vulnerabilities.
- **Details:** The attack specifically targeted Synnovis, the provider responsible for processing pathology tests for multiple NHS hospitals.
### Lateral Movement
- **Details:** Attackers moved through the provider's network to compromise systems responsible for blood testing, lab results, and data storage.
### Data Exfiltration/Impact
- **Details:** Sensitive data of approximately 985,000 patients was exfiltrated. This included medical information related to cancer treatments and sexually transmitted infections (STIs). The data was subsequently published on the dark web.
### Detection & Response
- **Detection:** Immediate operational failure of pathology systems in June 2024.
- **Response Actions:** Hospitals declared a "significant incident," cancelled elective surgeries, and prioritized critical blood transfusions. Notification to affected patients was significantly delayed, with many not briefed until late 2025.
## Attack Methodology
- **Initial Access:** Likely Phishing or Exploit of Remote Access (Standard Qilin TTPs).
- **Persistence:** Ransomware deployment across the estate.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Internal network scanning for laboratory information management systems (LIMS).
- **Lateral Movement:** Propagation across interconnected trust networks.
- **Collection:** Aggregation of patient health records and pathology results.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure prior to encryption.
- **Impact:** Encryption of critical medical systems and "double extortion" (threat of data release).
## Impact Assessment
- **Financial:** Massive costs associated with 18+ months of manual workarounds and forensic recovery.
- **Data Breach:** Exposure of sensitive medical history for ~1,000,000 individuals.
- **Operational:** Disruption of blood testing; "very fragile" blood supply; creation of a massive backlog of test results still existing in 2026.
- **Reputational:** Significant public outcry regarding the delay in patient notification (over 12 months after the breach).
## Indicators of Compromise
- **Network indicators:** [No specific IPs/URLs provided in text; typical Qilin traffic involves Tor-based leak sites]
- **File indicators:** [Ransom notes typically associated with .qilin or random extension suffixes]
- **Behavioral indicators:** Large-scale data egress followed by sudden cessation of LIMS database availability.
## Response Actions
- **Containment:** Isolation of affected pathology servers from the wider NHS network.
- **Eradication:** Long-term forensic cleanup.
- **Recovery:** Phased restoration of laboratory systems; manual processing of blood tests during the interim.
## Lessons Learned
- **Key Takeaways:** Third-party providers (Synnovis) represent a massive single point of failure for critical public services.
- **What could have been done better:** The delay in notifying patients (until late 2025) damaged public trust. Communication strategies during "long-tail" recoveries need better planning.
## Recommendations
- **Supply Chain Security:** Implement stricter cybersecurity audits for private vendors integrated into critical infrastructure.
- **Data Resilience:** Ensure isolated, immutable backups of pathology databases to allow for faster restoration of service.
- **Disaster Recovery:** Develop robust manual failover procedures for clinicians when digital test results are unavailable for extended periods.