Full Report
Synnovis's 18-month forensic review of Qilin intrusion completed, now affected patients to be notified Synnovis has finally wrapped up its investigation into the 2024 ransomware attack that crippled pathology services across London, ending an 18-month effort to untangle what the NHS supplier describes as one of the most complex data reconstruction jobs it has ever faced.…
Analysis Summary
# Incident Report: Synnovis Qilin Ransomware Intrusion
## Executive Summary
In June 2024, Synnovis, an NHS pathology services supplier, suffered a complex ransomware attack attributed to the Qilin threat group. The 18-month forensic investigation, completed in November 2025, involved extensive data reconstruction due to fragmented and unstructured stolen data. The incident severely crippled pathology services across London, leading to thousands of cancelled appointments and operations, and was tragically linked to at least one patient death due to service disruption.
## Incident Details
- **Discovery Date:** June 2024 (Implied, corresponding to service disruption)
- **Incident Date:** June 2024
- **Affected Organization:** Synnovis (NHS Pathology Supplier)
- **Sector:** Healthcare / Pathology Services
- **Geography:** London, UK
## Timeline of Events
### Initial Access
- **Date/Time:** June 2024 (Attack began)
- **Vector:** Unknown (Forensic investigation could not determine the initial entry method.)
- **Details:** Attackers gained access and executed a "smash-and-grab" operation.
### Lateral Movement
- **Date/Time:** Post-Initial Access (Implied)
- **Vector:** Not explicitly detailed, but implied as necessary to exfiltrate data.
- **Details:** Attackers scraped data in a "random and untargeted manner" from a working drive, avoiding the primary laboratory database.
### Data Exfiltration/Impact
- **Date/Time:** During Intrusion (Summer 2024)
- **Impact:** Data relating to potentially over 900,000 NHS patients was exfiltrated and subsequently dumped online by the attackers. Operational services were crippled, forcing appointment/operation cancellations.
### Detection & Response
- **Detection:** Systems went dark in June 2024, triggering incident response.
- **Response Actions:** 18-month complex forensic review initiated. Ransom payment was refused jointly with NHS Trusts. All affected infrastructure has since been replaced. Notification process to affected NHS organizations began in November 2025.
## Attack Methodology
- **Initial Access:** **Unknown** (Key gap in post-incident review).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed, though the fragmented nature of the stolen data suggests potential evasion or haste.
- **Credential Access:** Not detailed.
- **Discovery:** Implied reconnaissance occurred before data scraping.
- **Lateral Movement:** Involved accessing working drives to randomly scrape data.
- **Collection:** Data was taken "in haste from a working drive, in a random and untargeted manner," yielding unstructured, fragmented information, including fragments of NHS numbers, names, dates of birth, and some test results.
- **Exfiltration:** Stolen files were dumped online by the Qilin gang.
- **Impact:** System disruption (ransomware/disabling services) and potential data exposure (double extortion).
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Potential exposure of data relating to **over 900,000 NHS patients**. Data quality was poor (unstructured, fragmented), including personal identifiers and some test results, though much required clinical knowledge to interpret.
- **Operational:** Thousands of appointments and operations were cancelled across London pathology services.
- **Reputational:** Significant scrutiny placed on Synnovis and NHS supply chain security. The incident was linked to a patient fatality.
## Indicators of Compromise
*Note: Since the article provided no specific IoCs, this section lists general attack group TTPs.*
- **Network Indicators:** Not specified (Defanged).
- **File Indicators:** Not specified.
- **Behavioral Indicators:** High-volume, random data scraping from non-primary working drives; use of Qilin ransomware tactics (double extortion).
## Response Actions
- **Containment:** Not specified, but service outage implies immediate isolation of compromised systems.
- **Eradication:** All compromised systems have reportedly been replaced.
- **Recovery:** 18-month forensic data reconstruction effort completed. Notification process initiated for affected NHS organizations.
- **Ransom Decision:** Ransom payment was **refused** based on ethical principles and rejection of funding cybercriminal activities.
## Lessons Learned
- **Complexity of Forensics:** Untangling unstructured, fragmented, and incomplete stolen data from compromised systems is an extremely complex and time-consuming forensic exercise, taking over a year for leading experts.
- **Supply Chain Risk:** Breaches affecting critical, embedded suppliers (like pathology services) have severe, real-world consequences, including patient harm and fatality.
- **Lack of Visibility:** The inability to determine the initial entry vector highlights critical gaps in security visibility even after extensive review.
## Recommendations
- **Enhance Supply Chain Audits:** NHS procurement and management must mandate higher, verifiable security standards for critical pathology and supplier infrastructure.
- **Improve Data Hygiene:** Implement systems that minimize the presence of critical, sensitive PII/PHI data on readily accessible "working drives" susceptible to rapid, untargeted scraping.
- **Address Initial Access Gaps:** Invest heavily in preventative and detection controls focusing on the earliest stages of network intrusion to ensure full incident replay capability.