NHS patients to finally be informed if hackers published their STI and cancer test data

More than a year after a ransomware group published blood test information regarding National Health Service patients’ sexually transmitted infections and cancer cases, the company directly impacted by the breach, Synnovis, says it is beginning the process that will notify the individuals impacted.

Patients’ data was compromised in June 2024 during a ransomware attack by the Qilin cybercrime group. The attack severely disrupted care at a large number of NHS hospitals and care providers in London, and is believed to have contributed to at least one patient’s death.

On a website regarding the incident, Synnovis said it has now concluded “a long and complex investigation to understand what data had been stolen from our systems, and which organisations and individuals it belonged to” after patients had been left in the dark for 17 months.

It said the investigation had “taken more than a year to complete because the compromised data was unstructured, incomplete and fragmented, and often very difficult to understand. We appointed cyber security experts who had to use highly specialised platforms and bespoke processes to piece it together.”

It did not provide a count of affected organisations or individuals. As previously reported by Recorded Future News, an analysis of the data by data breach specialists CaseMatrix suggests more than 900,000 individuals were impacted, with the published material including names, dates of birth, NHS numbers and in some cases personal contact details.

The most sensitive information CaseMatrix identified included pathology and histology forms used to share patient details between medical departments and institutions. These forms often describe symptoms of intimate and private medical conditions, including cancer and STIs.

Synnovis said it “will have notified all impacted organisations by 21 November 2025 to inform them if data that we processed on their behalf was impacted in this incident” and said that under British data protection laws it was the responsibility of those institutions to inform patients directly.

“It may take some time for healthcare providers to notify impacted patients. We recommend checking the website of your healthcare provider(s) for any relevant updates,” the company stated.

It added that it did not pay a ransom to the cybercriminals, stating: “This decision, made in collaboration with our NHS Trust partners, reflects our commitment to ethical principles and the rejection of funding future cybercriminal activities that threaten critical infrastructure, patient privacy, and national security.”