The Synnovis Ransomware Disaster: Complete Timeline and Technical Analysis
On Monday, 3 June 2024, at approximately 4:30 AM, the Qilin ransomware gang deployed ransomware across Synnovis's IT infrastructure. Within hours, blood testing services for millions of patients across southeast London collapsed. One patient would die as a direct consequence.
This is the complete case study of what went wrong, how it happened, and why it was entirely preventable.
What Is Synnovis?
Synnovis is a pathology services partnership formed in 2021 between:
Guy's and St Thomas' NHS Foundation Trust
King's College Hospital NHS Foundation Trust
SYNLAB (international diagnostics provider)
They provide critical diagnostic services including:
Blood testing
Tissue analysis
Histopathology
Microbiology
Biochemistry
Synnovis processes approximately 3.5 million pathology tests annually for:
King's College Hospital
Guy's Hospital
St Thomas' Hospital
Royal Brompton Hospital
Evelina London Children's Hospital
Over 100 GP practices across southeast London
These are not optional services. Modern medicine cannot function without pathology. Doctors cannot diagnose cancer, kidney failure, infections, or blood disorders without laboratory analysis. Synnovis is foundational infrastructure for healthcare delivery across a region of approximately 2 million people.
The Attack Timeline
Monday, 3 June 2024 - 04:30: Initial Compromise
Qilin ransomware gang deployed ransomware across Synnovis IT systems. According to subsequent analysis, the attackers gained initial access through compromised credentials. Multi-factor authentication was not enabled on the breached systems.
The ransomware encrypted:
Laboratory information management systems
Middleware connecting analysers to result reporting
Electronic requesting and result transmission systems
Administrative and financial systems
Email and communication platforms
06:00-08:00: Service Disruption Identified
Laboratory staff arriving for morning shifts discovered widespread system failures. Analysers could not identify samples. Results could not be transmitted electronically. The entire digital infrastructure supporting pathology services was offline.
Emergency protocols were activated. Senior management was notified. NHS trusts were alerted that pathology services were severely compromised.
09:00: NHS Emergency Response
King's College Hospital, Guy's and St Thomas' NHS Foundation Trust, and associated hospitals implemented emergency measures:
Cancellation of non-urgent procedures requiring blood matching
Urgent cases diverted to other laboratories where possible
Activation of manual, paper-based pathology workflows
Appeal for O-negative blood donors (universal donor type needed when electronic matching unavailable)
First 24 Hours: Cascading Failures
By end of day Monday:
Over 800 elective procedures cancelled
Thousands of outpatient appointments disrupted
Blood banks across London reporting critical shortages of O-negative blood
Manual workarounds implemented but operating at drastically reduced capacity
Tuesday, 4 June: Attack Attribution
Cybersecurity researchers identified Qilin ransomware gang as responsible. Qilin is a Russia-linked ransomware-as-a-service operation known for targeting healthcare and critical infrastructure.
Week 1: Growing Crisis
Total cancelled appointments exceeded 5,000
Over 1,000 operations postponed
1,100 cancer treatments delayed
National blood shortage developing as hospitals across UK used O-negative reserves
Manual pathology processing operating at approximately 20-30% of normal capacity
Thursday, 20 June: Data Published
Having received no ransom payment, Qilin published approximately 400GB of stolen data on their dark web leak site, including:
Patient names
NHS numbers
Dates of birth
Test descriptions
Pathology and histology forms
Information about patients with cancer
Data about sexually transmitted infections
This was not just encryption. This was data theft weaponised to apply pressure for ransom payment.
Month 1-2: Long Recovery
Synnovis worked with NHS trusts and cybersecurity firms to:
Rebuild over 60 interconnected IT systems
Restore electronic interfaces between laboratories and hospitals
Verify data integrity
Gradually restore service capacity
By late July, most hospital pathology services were operating normally, though some GP services remained disrupted.
June 2025: Death Confirmed
King's College Hospital NHS Foundation Trust confirmed that a patient "died unexpectedly during the cyberattack." A detailed investigation identified multiple contributing factors, including "a long wait for a blood test result due to the cyberattack impacting pathology services at the time."
This was the first confirmed death directly linked to the Synnovis ransomware attack. It likely will not be the last.
The Human Cost
Confirmed Casualties
1 Death A patient died on 3 June 2024 after experiencing delayed blood test results. The family has been informed. Further details remain confidential.
2 Cases of Severe Harm NHS data revealed two patients suffered "severe harm," defined as long-term or permanent damage reducing life expectancy.
11 Cases of Moderate Harm Patients who did not need immediate life-saving intervention but suffered significant health impacts.
Over 120 Cases of Low Harm Documented impacts on patient care and wellbeing.
Nearly 600 Patient Safety Incidents Total incidents recorded by healthcare professionals as directly caused by the cyberattack.
Broader Impact
10,152 Acute Outpatient Appointments Cancelled Patients waiting for critical diagnostic appointments had care delayed, in many cases by weeks or months.
1,710 Elective Procedures Postponed Scheduled surgeries cancelled, including cancer operations and other serious procedures.
1,100 Cancer Treatments Delayed Patients with active cancer diagnoses had treatment plans disrupted while pathology services were unavailable.
Over 900,000 Patients' Data Stolen Personal health information, including sensitive medical details, published on criminal forums.
The psychological impact on patients who learned their cancer diagnoses or HIV status were published online is incalculable.
The Financial Cost
Direct Breach Costs
£37.7 Million (as of January 2025)
This includes:
Incident response and forensic investigation
Legal costs and regulatory compliance
IT infrastructure replacement
Manual operational costs
Staff overtime and emergency contracts
Indirect Costs
Reputational Damage Loss of trust from NHS partners and patients
Insurance Premiums Likely significant increases in cyber insurance costs
Opportunity Costs Resources diverted from service improvement to disaster recovery
Long-term Infrastructure Investment Necessary security upgrades post-breach
NHS Trust Costs
The full financial impact on affected NHS trusts has not been publicly disclosed but includes:
Costs of diverting patients to other providers
Emergency blood supply costs
Additional staffing for manual processes
Rescheduling thousands of cancelled procedures
The Technical Details
Attack Vector: Compromised Credentials
According to Beverley Bryant, who served as Chief Digital Information Officer at the affected trusts during the attack, the breach succeeded due to absence of two-factor authentication.
How It Worked:
Qilin obtained valid credentials for Synnovis systems (method not publicly disclosed, but likely through phishing, info-stealer malware, or data breach)
Using these credentials, attackers authenticated to Synnovis infrastructure
Without MFA requirement, stolen credentials provided full access
Attackers conducted reconnaissance, identifying critical systems
Attackers deployed ransomware across infrastructure
Systems encrypted, services collapsed
What MFA Would Have Stopped
Even with valid credentials, attackers would have been blocked at step 2. MFA requires:
Something you know (password)
Something you have (phone, security key)
Stolen passwords are useless without the second factor. Authentication fails. Attack stops.
Ransomware Deployment
Qilin used double-extortion tactics:
Encrypted systems to disrupt operations
Exfiltrated data to threaten publication
This is standard operating procedure for modern ransomware gangs. They want two leverage points: "Pay us to decrypt your systems" and "Pay us not to publish your data."
Synnovis refused to pay. The ransom demand was reportedly approximately £40 million. The organisation, in consultation with NHS trusts, made the ethical decision not to fund criminal enterprises.
Data Exfiltration
Qilin claimed to have stolen 400GB of data. According to Synnovis, this data was:
Taken "in haste from a working drive"
"Random and untargeted manner"
Not from primary laboratory database
"Unstructured, incomplete and fragmented"
However, the published data included enough personal and medical information to cause significant harm to patients whose details were exposed.
The Regulatory Response
Information Commissioner's Office (ICO)
The ICO was notified of the breach. As of November 2025, no fines have been announced. No criminal prosecutions have been initiated. No directors have faced personal consequences.
Compare this to the Health and Safety Executive's response to workplace deaths. Directors routinely face prison sentences when workers die due to missing safety equipment. A patient died due to missing security controls. Nobody has faced prosecution.
NHS Response
NHS England has:
Updated cyber resilience framework for health and social care
Transitioned NHS Data Security and Protection Toolkit to use NCSC Cyber Assessment Framework
Increased focus on supply chain cybersecurity
Provided additional support to affected trusts
What they have not done:
Mandated MFA across all NHS systems and suppliers
Created personal liability for executives who fail to implement basic controls
Established criminal penalties for gross cybersecurity negligence in healthcare
Political Response
Ministers expressed concern. Statements were issued. Nothing substantive changed.
The UK government has proposed banning ransomware payments by public sector organisations, but this addresses the symptom, not the disease. The disease is that basic security controls are treated as optional.
Why This Matters for Your Business
You might be thinking: "I am not running an NHS pathology service. This does not apply to me."
You are wrong. Here is why:
The Attack Vector Is Universal
Qilin did not use sophisticated exploits. They used stolen credentials and the absence of MFA. This same attack works against:
Accountancy firms
Law firms
Manufacturing companies
Retail businesses
Professional services
Any organisation where MFA is not enabled
The Consequences Scale with Criticality
Synnovis's breach killed a patient because they provide critical healthcare services. Your breach might not kill anyone, but it will:
Disrupt your operations
Expose customer data
Damage your reputation
Potentially destroy your business
The Defence Is Identical
What would have stopped Synnovis being breached will stop your business being breached: enable multi-factor authentication on every system. That is it. Free controls. Hours to implement.
The Liability Is Coming
While no director has yet faced criminal prosecution for cybersecurity negligence in the UK, the Synnovis case makes the legal argument undeniable. When preventable failures cause serious harm, executives should face personal consequences.
Even without legislation, civil liability is increasing. If your business suffers a preventable breach because you failed to implement free basic controls, good luck convincing a court you acted reasonably.
Lessons for UK Businesses
Lesson 1: Healthcare Supply Chains Are Critical Infrastructure
Synnovis is not technically part of the NHS. They are a private partnership providing services to the NHS. Yet their failure collapsed healthcare across a region of 2 million people.
If your business is part of any critical supply chain (which is more businesses than you think), your security failures affect more than just your organisation. You have a duty to implement appropriate controls.
Lesson 2: MFA Is Not Optional
There is no longer any justification for operating without multi-factor authentication in 2025. None. Zero. It is free. It takes hours to implement. It blocks the majority of credential-based attacks.
If you are reading this and MFA is not enabled on your business systems, stop reading and go enable it right now. Use Thursday's how-to guide if you need instructions.
Lesson 3: Ransomware Causes Physical Harm
The traditional view is that cyberattacks affect data and IT systems, not physical safety. Synnovis proved this wrong. When ransomware disrupts critical services, people die.
This has implications for risk assessment, board-level responsibility, and legal liability. Cybersecurity is not just an IT issue. It is a safety issue.
Lesson 4: Refusing Ransom Payment Is Ethical but Painful
Synnovis made the right decision not to pay the ransom. Paying ransomware gangs funds future attacks against other victims. It rewards criminal behaviour and enables the business model that makes ransomware profitable.
But refusing to pay means accepting the full impact of the attack. You must have sufficient resilience to survive without paying. This requires:
Comprehensive backups
Incident response plans
Insurance
Willingness to rebuild from scratch if necessary
Lesson 5: The ICO Will Not Save You
Some businesses operate as if ICO fines are the worst possible outcome of a breach. They are not. The worst outcomes are:
Operational collapse
Permanent loss of customer trust
Financial destruction
Legal liability
In Synnovis's case, contributing to a death
Compliance with data protection regulations is necessary but not sufficient. You need genuine security, not just compliance checkbox-ticking.
What Should Have Happened
Let me be absolutely clear about what should have happened at Synnovis:
Technical Controls:
MFA enabled on all systems (free, hours to implement)
Privileged access management for administrative accounts
Network segmentation to limit lateral movement
Comprehensive backup systems tested regularly
Governance:
Board-level cybersecurity expertise
Regular security audits
Clear accountability for security decisions
Budget allocated for security implementation
Accountability:
Directors asked direct questions: "Is MFA enabled?"
Documented decisions with clear ownership
Personal liability for gross negligence
Consequences for failures that cause harm
None of this is radical. None of this is expensive. All of it is basic cybersecurity hygiene that should have been standard practice.
The Uncomfortable Questions
This case raises questions that the UK cybersecurity establishment does not want to answer:
If MFA is free and takes hours to implement, why is it not legally mandated for critical infrastructure providers?
If a construction director goes to prison when a worker dies due to missing safety equipment, why does nobody face prosecution when a patient dies due to missing security controls?
If we know credential theft is the primary attack vector, and we know MFA blocks it, why do we treat MFA as optional?
If healthcare cybersecurity is so critical, why are NHS suppliers not held to the same rigorous standards as pharmaceutical manufacturers or medical device companies?
If boards and executives are responsible for organisational safety, why are they not held accountable when preventable cybersecurity failures cause serious harm?
The Synnovis case does not just expose a single organisation's failures. It exposes systemic failures in how the UK approaches cybersecurity governance, liability, and accountability.
Your Action Plan
If you are a business owner:
Verify MFA is enabled on all systems (use Thursday's guide)
Ensure your board has cybersecurity expertise
Document security decisions and responsibilities
Budget for basic security as non-negotiable operational cost
Test your incident response and backup systems
If you are a director:
Ask explicit questions about MFA status
Ensure you understand the cybersecurity risks your organisation faces
Verify you have reasonable defences in place
Remember that "I did not know" will not protect you when things go wrong
If you are in IT:
Present this case to your board
Request resources to implement MFA if not already done
Document any refusals or delays in writing
Protect yourself by ensuring decision-makers understand the risks
If you are a patient or citizen:
Ask your healthcare providers about their cybersecurity
Support calls for regulatory reform
Demand accountability when failures cause harm
The Bottom Line
A patient died on 3 June 2024 because ransomware shut down blood testing at Synnovis. The attack succeeded because multi-factor authentication was not enabled. MFA is free. Implementation takes hours. Nobody has faced criminal prosecution.
This is not a functioning accountability system. This is permission to fail.
The Synnovis disaster was entirely preventable. The next one will be too. The question is whether we will learn from this case or continue to ignore basic security until the next preventable death.
I know which outcome I am betting on. And it makes me furious.
Case Study Sources
| Source | Link |
|---|---|
| Infosecurity Magazine: Patient Death Linked to NHS Cyber-Attack | Source |
| The Record: Ransomware Attack Contributed to Patient's Death | Source |
| Digital Health: MFA May Have Stopped Synnovis Attack | Source |
| Howden: The Synnovis Cyber-Attack Warning | Source |
| HIPAA Journal: Patient Death Linked to Ransomware Attack | Source |
| Computer Weekly: Synnovis Attack Highlights NHS IT Degradation | Source |
| Synnovis Official Cyber Attack Information Centre | Source |
