Anatomy of a Breach

Anatomy of a Breach: Synnovis — Qilin Ransomware Cancels Thousands of NHS Blood Tests and Surgeries Across London

> series: anatomy_of_a_breach —— part: 186 —— target: synnovis —— nhs_trusts: guys_kings_london —— cancelled: 10,000+_appointments —— blood_shortage: critical<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2024 15 min read
ransomware synnovis nhs qilin uk-breach blood-tests pathology london-hospitals series
Breach #186

Blood tests cancelled. Surgeries postponed. O-type blood shortage. Across London's major hospitals.

On 3 June 2024, Synnovis — a pathology services provider operating as a partnership between Guy's and St Thomas' NHS Foundation Trust, King's College Hospital NHS Foundation Trust, and SYNLAB — was hit by Qilin ransomware. The attack encrypted Synnovis's laboratory information systems, disrupting blood testing, blood transfusion matching, and pathology result reporting across some of London's largest hospitals.

The impact on patient care was severe: over 10,000 acute outpatient appointments and nearly 2,000 elective procedures were postponed in the first weeks. Hospitals could not perform routine blood compatibility testing, forcing NHS Blood and Transplant to issue an amber alert for O-type blood — the universal donor type that can be used when a patient's blood type cannot be verified. The Qilin group subsequently published patient data on the dark web, including names, NHS numbers, and blood test results. The Synnovis attack was the most significant cyber attack on the UK's NHS since WannaCry (2017).

NHS Under Attack — Again
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

WannaCry 2017. NHS Advanced 2022. Synnovis 2024. The NHS remains critically vulnerable.

Blood Tests and Transfusions Disrupted
The inability to perform blood compatibility testing forced hospitals to use O-type blood universally — creating a critical shortage of the UK's most needed blood type. Pathology services underpin virtually every clinical decision in hospital medicine. <a href="/blog/sector-under-the-microscope-healthcare">Our healthcare sector analysis</a> examines the critical dependency on digital pathology systems. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> monitors pathology systems.
10,000+ Appointments Postponed
Over 10,000 appointments and nearly 2,000 surgeries were postponed — directly harming patients who waited longer for diagnosis and treatment. The patient safety impact echoed <a href="/blog/anatomy-of-a-breach-wannacry">WannaCry's</a> 13,500 cancelled appointments and the <a href="/blog/anatomy-of-a-breach-dusseldorf-hospital">Düsseldorf Hospital</a> fatality. Ransomware against healthcare is a patient safety crisis.
Patient Data Published
Qilin published patient data — including names, NHS numbers, and blood test results — on the dark web. As with <a href="/blog/anatomy-of-a-breach-medibank">Medibank</a> (2022), health data was weaponised to punish the organisation for not paying. <a href="https://www.socinabox.co.uk/blog/data-loss-prevention-small-business">Data loss prevention</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects data exfiltration before it reaches attackers.
Third-Party Pathology Provider
Synnovis is a partnership providing pathology services to NHS trusts — meaning the ransomware attack came through a shared services provider, disrupting multiple hospitals simultaneously. This is the <a href="/blog/anatomy-of-a-breach-nhs-advanced-lastpass">NHS Advanced</a> (2022) and <a href="/blog/anatomy-of-a-breach-blackbaud">Blackbaud</a> (2020) pattern: one vendor, multiple NHS organisations affected. <a href="/cyber-essentials">Cyber Essentials</a> addresses supplier security.
The NHS Cannot Keep Being Hit

WannaCry. NHS Advanced. Synnovis. How many more times?

The Synnovis attack was the third major cyber disruption to NHS services documented in this series — after WannaCry (2017, 80 trusts) and NHS Advanced (2022, NHS 111). Each time, patients suffered directly. Each time, the root causes were preventable. And each time, the NHS's dependency on digital systems — without proportionate cybersecurity investment — was exposed. Cyber Essentials provides the baseline every NHS supplier should hold. Penetration testing validates that pathology and clinical systems are secured. SOC in a Box for Healthcare monitors NHS supplier connections. And UK Cyber Defence provides the incident response that keeps hospitals operational when ransomware strikes.

NHS Cybersecurity

Blood tests cancelled. Surgeries postponed. Patient data published. The NHS needs better cybersecurity. Now.

<a href="/cyber-essentials">Cyber Essentials</a> for NHS suppliers. <a href="/penetration-testing">Penetration testing</a> for clinical systems. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a>. Because patient safety is cybersecurity.

Commission a Healthcare Assessment Next: CrowdStrike Global Outage
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
Anatomy of a Breach 31 May 2017

Anatomy of a Breach: WannaCry — The Ransomware That Brought the NHS to Its Knees

Breach #101. On 12 May 2017, WannaCry ransomware began spreading across the internet at unprecedented speed, using the NSA's stolen EternalBlue exploit to propagate through unpatched Windows systems. Within hours, over 200,000 computers in 150 countries were encrypted. The UK's NHS was devastated: 80 trusts were affected, 13,500 appointments were cancelled, five A&E departments diverted patients, and 595 GP practices were disrupted. The patch had been available for 59 days. WannaCry was ultimately stopped by a security researcher who accidentally activated its kill switch — a single unregistered domain that halted global propagation.

wannacry ransomware
16 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
All Posts Get in Touch