Cyber-attack Timeline: Synnovis & NHS UK

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

Synnovis NHS Timeline Synnovis NHS  Summary

Download Our Educational Cyber-Attack Timeline: NHS & Synnovis Attack

The recent ransomware attack on Synnovis, a pathology service provider in the UK, led to massive disruption in healthcare service delivery by the NHS. Blood transfusions, test results, operations related to cancer treatments and even C-sections had to be rescheduled. The attackers stole and leaked 400GB worth of sensitive data and attempted to extort money from Synnovis. 
 
The attack, once again, underscored the vulnerability of healthcare systems to cyber threats and the critical need for robust cybersecurity defences.
 
Find out exactly what happened and what the full extent of this debilitating attack was with our NHS UK & Synnovis Cyber Attack Timeline. 

Read our blog on the NHS UK and Synnovis Ransomware Attack and the lessons that we can all learn from it. 

 

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Synnovis & NHS UK attack timeline document and summary.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

FAQs on the Synnovis and NHS UK Cyber Attack

  • 1. What happened in the Synnovis and NHS cyber attack?

    On Monday 3 June 2024, Synnovis — the pathology and laboratory services provider for several major London NHS organisations — was hit by a ransomware attack that cut hospitals off from its IT systems. Major London hospitals, including those run by Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trusts, declared a critical incident as operations were cancelled, blood transfusions disrupted and emergency patients diverted. Because pathology underpins blood testing, transfusions and diagnostics, the attack rippled across hospitals, GP surgeries and community services in south east London, making it one of the most damaging attacks on UK healthcare to date.

  • 2. When did the Synnovis cyber attack take place?

    The ransomware attack struck on 3 June 2024, and a critical incident was declared on 4 June 2024. Acute disruption lasted around three weeks, though NHS leaders and experts warned that full recovery could take months, with some impact feared to continue into September 2024. The attackers published stolen data online in mid-to-late June 2024, and the incident dominated NHS operations in south east London throughout that month.

  • 3. What is Synnovis and which hospitals and services were affected?

    Synnovis is a pathology partnership between SYNLAB UK & Ireland, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust, providing laboratory services to the NHS and other users. The attack hit both trusts and their hospitals — including King’s College Hospital, Guy’s and St Thomas’, the Royal Brompton and the Evelina London Children’s Hospital — as well as GP and primary care services across the Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs.

  • 4. Who was behind the Synnovis cyber attack?

    The attack was attributed to Qilin, a Russian-speaking cybercriminal ransomware group. Ciaran Martin, former head of the UK’s National Cyber Security Centre, named Qilin on BBC radio, noting the group had previously targeted organisations including the Big Issue and Australian courts and was ‘simply looking for money’. Qilin later spoke to the BBC, claiming the attack was a form of political protest, though security experts cautioned that such groups routinely lie about their motives and origins.

  • 5. What kind of cyber attack was it?

    It was a ransomware attack on Synnovis’s IT systems, which disrupted the pathology infrastructure that hospitals and GPs rely on. The exact method of initial access was not publicly disclosed. Experts described it as a deliberate, targeted operation ‘designed to hurt’ so the victim would feel pressure to pay, and the gang later attempted to extort Synnovis and published stolen data when no payment was forthcoming.

  • 6. What was the impact on patients and hospital services?

    The loss of pathology services severely affected blood transfusions, test results and diagnostics. Hospitals cancelled or postponed operations, GP surgeries cancelled routine blood tests, transplant cross-matching was disrupted, and optional blood-borne virus testing (HIV, Hepatitis C and Hepatitis B) was temporarily suspended. Medical students were drafted in as ‘floorwalkers’ to hand-deliver blood samples, and clinicians warned that delayed tests and repeat investigations created real risks to patient safety.

  • 7. How many operations and appointments were affected?

    According to NHS figures, more than 1,100 operations were postponed in total, almost 200 of them relating to cancer treatments. In the first week alone, over 800 planned operations and 700 outpatient appointments were rearranged. NHS London also reported that five planned caesarean sections were rescheduled and 18 organs were diverted for use by other trusts, alongside hundreds of postponed hospital and community outpatient appointments.

  • 8. Was patient data stolen in the Synnovis attack?

    Yes. The Qilin group published almost 400 GB of stolen private information, reported to include sensitive patient data, on its darknet site, and used the leak as leverage to try to extort Synnovis. The exact contents and the number of individuals affected were still being assessed at the time of reporting, and the data theft compounded the operational disruption already caused by the attack.

  • 9. Was a ransom demanded or paid?

    The attackers sought to extort money from Synnovis and published stolen data when their demands were not met, which experts said pointed to a financially motivated operation. There is no confirmation that Synnovis or the NHS paid any ransom. UK guidance generally discourages paying ransoms, as payment does not guarantee data recovery and helps fund further criminal activity.

  • 10. Why did the NHS appeal for O-type blood donations?

    Because hospitals often could not access patients’ blood-type records or match blood during the outage, NHS Blood and Transplant appealed for extra O-negative and O-positive donors — the ‘universal’ types that can be used safely when a patient’s blood type is unknown. The blood donation website introduced a queuing system to manage demand, and donors were urged to book appointments at NHS Blood Donor Centres across England.

  • 11. How did the NHS, Synnovis and the government respond?

    Synnovis brought in a taskforce of IT experts and reported the incident to the police and the Information Commissioner’s Office, while NHS England declared a level-three (and later regional) incident, coordinated mutual aid, rerouted tests to other pathology providers and arranged extra universal blood stocks. The National Cyber Security Centre, National Crime Agency, Department of Health and Social Care and the health secretary were all engaged, with patient safety stated as the priority throughout.

  • 12. What can organisations learn from the Synnovis cyber attack?

    The Synnovis incident shows how an attack on a single third-party supplier can cascade across an entire critical-service ecosystem, in this case threatening patient safety far beyond data loss. The key lessons are the importance of supply-chain and third-party risk management, tested incident response plans and crisis playbooks, regular cyber crisis tabletop exercises, and resilient manual fallback processes for essential services. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.

Download the NHS UK Ransomware Attack detailed document and timeline today. 

download template