Full Report
Two years on from ransomware attack, hospitals are still trying to identify and warn patients
Analysis Summary
# Incident Report: Qilin Ransomware Attack on Synnovis (NHS Supply Chain)
## Executive Summary
In June 2024, the Russian-linked ransomware group "Qilin" attacked Synnovis, a provider of pathology services to the UK’s National Health Service (NHS). The attack caused massive operational disruption, including thousands of canceled operations and at least one patient death linked to service delays. Two years later, the scope of the data breach continues to expand as secondary trusts, such as Mid and South Essex NHS Foundation Trust, identify thousands of compromised patient records within the exfiltrated data.
## Incident Details
- **Discovery Date:** June 3, 2024
- **Incident Date:** June 3, 2024 (Ongoing data reconciliation through June 2026)
- **Affected Organization:** Synnovis (Primary); Mid and South Essex NHS Foundation Trust, Bedfordshire Hospitals NHS Foundation Trust (Secondary)
- **Sector:** Healthcare / Pathology Services
- **Geography:** United Kingdom (South East London/Essex/Bedfordshire)
## Timeline of Events
### Initial Access
- **Date/Time:** June 3, 2024
- **Vector:** Ransomware deployment (specific entry vector not detailed in report, though Qilin typically uses VPN/RDP exploits).
- **Details:** The attack targeted Synnovis systems, which handle blood tests and pathology for multiple NHS trusts.
### Lateral Movement
- Attackers moved through Synnovis’s infrastructure to access pathology databases and diagnostic testing records belonging to various NHS partner trusts.
### Data Exfiltration/Impact
- **June 2024:** Massive service disruption; clinicians unable to access blood test results.
- **Post-Attack:** Data exfiltrated after Synnovis refused to pay the ransom.
- **November 2025:** Synnovis completes forensic review and notifies affected trusts.
- **June 2026:** Mid and South Essex NHS Foundation Trust identifies ~2,380 compromised records.
### Detection & Response
- **Discovery:** System lockout and operational failure on June 3, 2024.
- **Response:** Forensic investigation initiated; systems restored over many months; a multi-year data reconciliation process began to identify victims.
## Attack Methodology
- **Initial Access:** Ransomware (Qilin Group).
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Scanning for diagnostic and patient databases.
- **Lateral Movement:** Movement from Synnovis core systems to specific trust data partitions.
- **Collection:** Gathering of specialist diagnostic testing records.
- **Exfiltration:** Data leaked via Qilin’s dark web leak site.
- **Impact:** Encryption of critical pathology systems; disruption of blood transfusion services; data theft.
## Impact Assessment
- **Financial:** Significant costs related to forensic recovery and a two-year-long manual data audit.
- **Data Breach:** Over 35,000 combined records (Bedfordshire & Mid Essex) including diagnostic results; millions potentially impacted across the wider NHS.
- **Operational:** Thousands of canceled operations; severe delays in blood testing.
- **Reputational/Safety:** **Critical.** One fatality officially linked to the outage at King’s College Hospital; long-term loss of trust in supply chain security.
## Indicators of Compromise
- **Network indicators:** Connection to Qilin ransomware onion sites (defanged: hxxps[://]qilin[.]onion).
- **File indicators:** Files encrypted with Qilin-specific extensions.
- **Behavioral indicators:** Disruption of automated laboratory information management systems (LIMS).
## Response Actions
- **Containment:** Isolation of Synnovis networks from the wider NHS spine.
- **Eradication:** Forensic cleanup of infected servers completed by late 2024.
- **Recovery:** Restoration of pathology services; manual "look-back" exercise to identify specific patients whose data was fragmented in the stolen dump.
## Lessons Learned
- **Supply Chain Vulnerability:** A breach at a single private provider (Synnovis) can cripple dozens of public hospitals.
- **Data Fragmentation:** Even after a forensic review is "complete," it can take years for data controllers to identify individual victims if the stolen data is unstructured or fragmented.
- **Life-Safety Risk:** Ransomware in healthcare is not just a data risk; it is a direct threat to patient life.
## Recommendations
- **Supply Chain Audit:** NHS Trusts must enforce stricter cybersecurity standards on third-party pathology and diagnostic partners.
- **Data Mapping:** Organizations should maintain clear data maps so that if a processor is breached, the controller can immediately identify which patients are at risk.
- **Resilience Testing:** Hospitals must have "paper-based" or offline contingencies for pathology services that can be sustained for weeks, not just days.