Two years after the Synnovis ransomware attack, NHS trusts are still counting victims. Mid and South Essex just confirmed roughly 2,380 patient records were caught up in the breach, raising fresh questions about how slowly affected people are being told their medical data was stolen.
The human cost of the 2024 Synnovis ransomware attack is still being tallied, and the numbers keep climbing. Mid and South Essex NHS Foundation Trust has now confirmed it was swept up in the breach, with around 2,380 patient records tied to specialist diagnostic testing exposed when the Qilin ransomware gang struck the pathology provider.
The Essex disclosure follows a similar admission from Bedfordshire Hospitals NHS Foundation Trust earlier this month, which said almost 33,000 patient records were affected by the same incident. Two years on, hospitals across south east London and beyond are still working through forensic data to figure out exactly whose information was taken and to warn them.
What happened
Synnovis is a pathology services joint venture that processes blood tests, transfusions, and diagnostic samples for a network of NHS trusts. On June 3, 2024, the Qilin ransomware group breached its systems. The attack crippled pathology services, forced the cancellation of thousands of appointments and operations, and left clinicians scrambling as blood testing and transfusion services ground to a halt. When Synnovis refused to pay, the attackers published stolen patient data online.
The data exposure has proven harder to map than the operational chaos. Mid and South Essex told The Register that some of the compromised data cannot yet be directly linked to individual patients, so the trust still cannot say how many people were ultimately affected. The exact time period covered by the stolen records also remains unestablished, though patients tested after the day of the attack were not caught up in it.
"We are still waiting for confirmation on exact numbers," Dawn Scrafield, deputy chief executive of Mid and South Essex, said. "Once we have established who those patients are, we will be in contact with any who have been affected."
The legal basis and why notification is so slow
This is where the data protection mechanics matter for anyone whose records may be sitting in the leaked files. Under UK GDPR, the legal duty to notify individuals of a personal data breach falls on the data controller, not the data processor. The distinction is not academic. A controller decides why and how personal data is processed. A processor, like Synnovis, handles that data on the controller's behalf.
Synnovis has been explicit about where it sits in that chain. "Synnovis, as the Processor of the data, is not involved in any of the assessments regarding if, when or how many patients a Controller determines necessary to notify," a spokesperson said. The company added that any decision on patient notification, including how many patients to contact, rests with each affected NHS organisation.
Under Article 34 of the UK GDPR, a controller must notify affected individuals "without undue delay" when a breach is likely to result in a high risk to their rights and freedoms. There is a carve-out: if the data is unintelligible to unauthorised parties, or if individual notification would involve disproportionate effort, the controller can rely on a public communication instead. Synnovis says it does not believe the stolen information presents a high risk because of its fragmented nature, but each trust has to make its own assessment of what was taken.
That fragmentation is precisely why the process has dragged. Synnovis says it completed its forensic review by the end of last summer and notified all affected organisations by November 2024. Mid and South Essex, however, says it was only informed in December 2025 and is still working out which patients map to the compromised records six months after that. The gap between "organisation notified" and "patients identified" is where the GDPR clock effectively stalls, because a trust cannot send an individual notification until it knows whose data it is holding.
Impact on patients and trusts
For patients, the practical consequence is a long period of uncertainty. People who had diagnostic tests before June 2024 may have had sensitive health information published online without ever being told, simply because the affected trust cannot yet attach a name to a leaked record. Special category data, which includes health information, carries the strongest protections under UK data protection law, and exposure of it raises real risks of targeted phishing, fraud, and distress.
For the trusts, the episode is a reminder that outsourcing data processing does not outsource accountability. The controller remains on the hook for notification, breach reporting to the Information Commissioner's Office, and any regulatory consequences, even when the breach happened inside a third party's systems. The ICO has the power to issue fines of up to £17.5 million or 4 percent of annual turnover for serious infringements, and it has been scrutinising the Synnovis incident.
The stakes here go beyond regulatory paperwork. Last year, King's College Hospital NHS Foundation Trust confirmed that delays caused by the outage contributed to the death of a patient, one of the first officially acknowledged fatalities linked to a ransomware attack. That single fact reframes the breach from a data incident into a patient safety event.
What changes
The slow drip of trust-by-trust disclosures suggests the final patient count will keep rising for some time. Anyone who used pathology services connected to Synnovis before June 2024 should treat unexpected contact about their health data with caution and watch for phishing attempts referencing real medical details.
The broader lesson sits in the controller and processor relationship that underpins much of modern healthcare IT. When a central provider serves many organisations, a single breach cascades into dozens of separate notification duties, each moving at the pace of its slowest data-matching exercise. Affected individuals are left waiting on a chain of assessments they have no visibility into. Tightening the contractual and technical links between processors and controllers, so that affected records can be identified quickly rather than over a span of years, is the change this incident most clearly demands.
The ICO publishes guidance on the controller and processor distinction and on personal data breach reporting obligations for organisations trying to understand their duties after an incident like this one.
Comments
Please log in or register to join the discussion