Patients left in the dark months after cybercriminals leak testing lab data

More than 11 months after a ransomware group published information from a U.K. pathology services company, the affected patients still have not been informed about what data of theirs was exposed in the incident, with material about sexually transmitted infections and cancer cases being included in the leaks.

The data was compromised during an attack by the Qilin cybercrime group against London-based Synnovis last June. The attack severely disrupted care at a large number of National Health Service (NHS) hospitals and care providers in London.

Synnovis maintains an information page about the incident, but it still has not provided an estimate of the number of patients impacted, nor a detailed list of what data was published by the criminals. The page confirms that some patient information was compromised, and says: “In some circumstances this information may contain personal data such as names, NHS numbers and test codes (identifying the requested test), although analysis is ongoing.”

Contacted again this week, the company described the process as “significantly advanced” but still ongoing.

An analysis of the data by data breach specialists CaseMatrix suggests more than 900,000 individuals were impacted, with the published material including names, dates of birth, NHS numbers, and in some cases personal contact details. But the most sensitive information CaseMatrix identified included pathology and histology forms used to share patient details between medical departments and institutions. These forms often describe symptoms of intimate and private medical conditions, including cancer and STIs.

Immediately following the attack, Synnovis had to focus on recovering its critical blood testing services. The impact of the cyberattack severely reduced blood stocks across the United Kingdom as medical professionals were forced to use universal donor types because of limitations on blood matching, leaving several hospitals on the brink of limiting transfusions to only the most critical patients.

Three months after the incident, when Synnovis announced having successfully rebuilt the majority of its core IT systems and recovered its diagnostic services, individuals whose data was compromised in the attack had still not been provided with even a preliminary warning about the sensitivity of what was exposed.

At the time, Synnovis said it had “initiated an eDiscovery process shortly after the cyberattack to interrogate the data that was stolen and to identify any organisations and individuals it may relate to,” and last September described the process as “advanced.” 

Synnovis stated: “We will notify any relevant organisations directly should this process determine that data associated with their organisation was impacted.”

A spokesperson for two NHS Trusts that used Synnovis — Guy’s Hospital and St Thomas’ and King’s College Hospital — told Recorded Future News they were awaiting the outcome of Synnovis’ eDiscovery process to be notified about what data had been affected.

A spokesperson for NHS England redirected Recorded Future News to Synnovis.

According to guidance from the Information Commissioner’s Office (ICO), Britain’s privacy laws recognise that data breaches cannot always be fully investigated within a short time period — but there remains a legal requirement for organisations to inform data subjects about the compromise of sensitive details.

A relevant example published by the ICO states: “A hospital suffers a breach that results in accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.”

A spokesperson for Synnovis stated:  “We understand and share the eagerness for this investigation to conclude. It is nearing completion, which is significant progress, and allows us to now finalise the processes and mechanisms required to update any affected organisations and individuals as appropriate.”