Industry - Data Breach
Executive Summary
Mid and South Essex NHS Foundation Trust confirmed that 2,380 patient records, including test results and personal information like names and NHS numbers, were stolen in a June 2024 cyber attack on third-party testing provider Synnovis. The Russia-based Qilin ransomware group claimed responsibility for the breach, which affected multiple NHS organizations across England and resulted in stolen data being published on the dark web. The trust is now contacting affected patients and has brought i...
What Happened
In June 2024, a Russia-based ransomware group called Qilin attacked Synnovis, a third-party testing provider that analyzes blood, urine, and tissue samples for NHS organizations across England. The attack resulted in the theft of 2,380 patient records from Mid and South Essex NHS Foundation Trust, including names, dates of birth, NHS numbers, postcodes, and test results. The stolen data was subsequently published on the dark web, and affected NHS trusts were notified of the breach in December 2024.
Who Is Affected
At least 2,380 patients who received diagnostic testing through Mid and South Essex NHS Foundation Trust are confirmed affected, along with nearly 33,000 patients from Bedfordshire Hospitals NHS Foundation Trust. Multiple other NHS organizations across England that used Synnovis for testing services also had patient data stolen, though the total number of affected patients across all trusts has not been disclosed. The stolen information includes highly sensitive medical test results and personal identifiers.
Why It Matters
This breach demonstrates the cascading privacy risks when healthcare providers rely on third-party vendors for critical services, as a single attack compromised patient data across multiple hospital systems. The two-year gap between the attack and patient notification raises concerns about breach response timelines in healthcare. The publication of medical test results and personal information on the dark web creates ongoing risks of identity theft, medical fraud, and potential blackmail for thousands of patients.
What You Should Do
If you received testing services from Mid and South Essex NHS Foundation Trust or other NHS organizations using Synnovis in 2024, monitor for contact from your hospital trust and follow their guidance. Watch for suspicious activity on your medical records and financial accounts, as stolen NHS numbers and personal details can be used for identity fraud. Contact your NHS trust directly if you have concerns about whether your data was affected, and consider requesting additional security measures on your patient records.
Summary generated from verified sources and reviewed before publication. How we summarize.
Sources