Skip to content

Should patients be worried about their stolen data?

Matt Precey
News imageGetty Images Composite image meant to represent computer software and hardware. On the left is a screen showing code in different colours. There is a pink hazard sign on the right of the picture.Getty Images
Tens of thousands of patients had their data stolen when an NHS testing provider was hacked by criminals in 2024

In June 2024, tens of thousands of patients' data was hacked from computer drives of a third-party testing provider, Synnovis, which was used by the NHS.

It was described as "one of the most significant and harmful cyber-attacks ever in the UK" and affected trusts in Essex, Bedfordshire and London and, most recently, a trust in Norfolk revealed its patient information was also breached.

Two years on from the ransomware attack, should patients be worried about their stolen data?

Who was behind the cyber-attack?

News imageA white logo against a black background. The white letters spell "Qilin" and the Q has a devil-like figure with horns in the centre of the letter.
Qilin, a Russian cyber-criminal group, was behind the attack in June 2024

Qilin, a Russian cyber-criminal group, uploaded 400GB of sensitive information held by Synnovis onto its darknet site following the attack in 2024.

Synnovis tests blood, tissue, and other samples and performs laboratory diagnostics for NHS hospitals and GPs.

The hackers broke into the computer systems of the company in an attempt to extort money, Synnovis said.

Shortly after the attack the BBC used an encrypted messaging service to speak to Qilin and the group said it had deliberately targeted Synnovis as a way to punish the UK for not helping enough in an unspecified war.

At the time, cyber security expert Ciaran Martin described that claim as "absolute garbage" and said the group's aims were "entirely financial".

Synnovis said the data was stolen "in haste and in a random manner" from its hard drives and in March said it had notified the organisations whose data had been affected.

Who was affected by the hack?

It has previously been reported a number of NHS organisations had their patient data breached during the incident.

King's College Hospital NHS Foundation Trust (KCH) and Guy's and St Thomas' NHS Foundation Trust were the first to reveal they had been affected.

On 2 June it emerged Bedfordshire Hospitals NHS Foundation Trust had nearly 33,000 records stolen.

The Mid and South Essex NHS Foundation Trust confirmed on Monday that 2,380 of its records had also been affected.

The BBC has now learned patients at Norfolk and Norwich University Hospitals Foundation Trust (NNUH) were also affected by the hack.

Chris Cobb, NNUH acting executive managing director, said: "We are working to identify any individuals affected and are adhering to NHS England and Information Commissioner's Office guidelines."

When NHS England was asked which trusts had their patient data stolen and the number of individuals that were affected, the body referred the BBC's inquiries to Synnovis.

Synnovis said that under UK data protection law, it was the responsibility of the individual organisations concerned to identify which patients had been affected and to notify them.

How much harm was caused?

News imageStuart Woodward/BBC The main entrance of Broomfield Hospital in Chelmsford showing a metal and glass canopy sticking out from the front of the building which is clad with a natural coloured material with multi-coloured blocks forming a strip down the middle of the building. There are rotating doors.Stuart Woodward/BBC
The stolen data included test results for patients at Mid and South Essex NHS Foundation Trust

The full extent of the damage arising from the attack is still being assessed.

KCH and Guy's and St Thomas' NHS Foundation Trust postponed 1,300 outpatient appointments and 205 elective procedures following the attack in 2024.

Blood tests and information-sharing could also not be carried out using the normal computerised systems, which meant that blood types could not be matched at the usual frequency.

One patient death at KCH has been officially linked to the incident due to a delay in receiving a blood test.

What if my data was hacked?

News imageSystal Technology Solutions Man with ginger hair and a beard smiling at the camera. He is wearing a blue shirt and a dark blue jacket. Behind him is the interior of an office building.Systal Technology Solutions
Deryck Mitchelson said medical data was some of the most "valuable" information on the dark web

Bedfordshire Hospitals NHS Foundation Trust said it was "not aware of any evidence that the information has been accessed or used inappropriately".

Mid and South Essex NHS Foundation Trust said it was contacting patients whose data had been affected by the attack.

The National Cyber Security Centre has also published guidance for individuals and families about what you can do to protect yourself from the impact of data breaches.

In a statement, Synnovis said: "Expert advice indicates that the risk to individuals is low."

Action Fraud, the UK's national reporting centre for fraud and cybercrime, said to contact the organisation if someone claims to have your data.

Deryck Mitchelson, a cyber-security expert from Systal Technology Solutions, told BBC Essex: "Medical data is some of the most valuable data on the dark web that the criminals are trying to sell and that's what's behind these attacks. It's commercial. They're trying to make money."

He added criminals were now also using artificial intelligence to analyse different datasets to increase their value.

Do you have a story suggestion for Essex? Contact us below.

Follow Essex news on BBC Sounds, Facebook, Instagram and X.

More on this story