On June 3, 2024, the Qilin ransomware group encrypted systems at Synnovis, the joint venture between SYNLAB and two London NHS trusts that processes pathology samples for King's College Hospital, Guy's and St Thomas', and roughly a dozen primary care networks. The attack triggered a critical incident across the NHS in South East London: blood transfusion services degraded to manual handling, O-negative blood ran short, and trusts cancelled more than 10,000 outpatient appointments and 1,700 elective operations. In June 2025 King's College Hospital NHS Trust confirmed that disruption from the supplier outage had contributed to a patient death, one of the few publicly attributed fatalities tied to ransomware. By November 2025 Synnovis had finished notifying NHS organisations whose patient data was caught in the breach, eighteen months after the original intrusion. For defenders, the case is a textbook study in concentrated third-party dependency, and a stark counterargument to the assumption that ransomware impact stops at the IT layer. Clinical workflows that have evolved to depend on near-real-time lab integration cannot fall back to paper without operational friction that costs hours of clinician time per case and, in this instance, contributed to a patient death.
Who is Synnovis and how did Qilin get in?
Synnovis is the NHS's largest pathology provider in the capital, running blood tests, microbiology, histopathology, and transfusion matching across a network of hospital labs and community clinics. Qilin (also tracked as Agenda) is a Russian-speaking ransomware-as-a-service brand active since mid-2022. Synnovis has not publicly disclosed the initial access vector. Reporting by the BBC, Bloomberg, and The Record from Recorded Future News points to compromised credentials and an unpatched remote-access path, consistent with Qilin affiliates' established playbook of buying access from initial access brokers and leveraging exposed Citrix, FortiOS, or VPN appliances. The actor deployed Qilin's Rust-based encryptor across Synnovis's core lab systems and exfiltrated approximately 400 GB to its data-leak site before encryption.
What did the attackers actually access?
The leaked dataset contained patient identifiers, NHS numbers, dates of birth, and pathology test results — including HIV, sexually transmitted infection, and cancer screening data — tied to interactions across more than 300 million NHS patient encounters that the system held historically. CaseMatrix and other observers estimated personal data linked to roughly 900,000 NHS patients ended up in the leaked archive. Because Synnovis sits between primary care, secondary care, and specialist clinics, the dataset spanned multiple trusts and decades. Crucially, the actor did not need to breach each downstream trust: one supplier compromise produced a multi-trust impact.
How long were they inside and how long did recovery take?
Public statements from Synnovis and the affected NHS trusts indicate the encryption event occurred on June 3, 2024, but Qilin affiliates typically operate inside victim environments for days to weeks before deploying ransomware to perform discovery, credential theft, and staged exfiltration. Recovery of operational services took months: blood transfusion workflows degraded into a manual paper process throughout summer 2024, IT restoration ran into late 2024, and the full forensic and notification phase did not complete until November 2025. Synnovis stated publicly that it did not pay the ransom.
What did existing controls miss?
Three failures recurred. First, criticality concentration: a single pathology vendor handling blood transfusion logistics for multiple Level 1 trauma centres became an unrecoverable single point of failure. Second, contract-level resilience requirements did not translate into operational testing. There were no demonstrated, regularly exercised manual fallback procedures that could keep elective surgery moving when Synnovis went dark. Third, downstream impact visibility was poor: NHS trusts depending on Synnovis lacked timely insight into what data the supplier held, where it lived, and which patients would need notification. The 18-month notification timeline that Synnovis ultimately announced reflects how hard data reconstruction becomes when the breach happens upstream.
# Sigma-style rule: detect Qilin precursor — discovery + WMI lateral
title: Qilin Affiliate Precursor Activity
status: experimental
logsource:
product: windows
service: security
detection:
discovery:
EventID: 4688
NewProcessName|endswith:
- '\nltest.exe'
- '\net.exe'
- '\adfind.exe'
- '\bloodhound.exe'
wmi_lateral:
EventID: 4688
NewProcessName|endswith: '\wmic.exe'
CommandLine|contains:
- 'process call create'
- '/node:'
condition: discovery and wmi_lateral
falsepositives:
- Legitimate domain admin tooling
level: high
What should healthcare defenders do now?
Six steps. First, build a clinical-criticality tier for every third-party service that touches patient care, separately from data-privacy tiers. Pathology, imaging, and pharmacy benefit managers belong in tier zero with formal recovery time objectives mapped to patient safety, not just commercial SLAs. Second, require suppliers in tier zero to demonstrate offline-capable workflows annually — paper transfusion forms, fallback blood ordering, and manual reporting — with the trust observing the exercise. Third, demand SBOMs and software inventories from clinical software vendors so that an Ivanti, Citrix, or FortiOS zero-day surfaces every Synnovis-class supplier inside one console. Fourth, force MFA on every supplier remote-access path and rotate any credential issued before mid-2024 across the Qilin target set. Fifth, contractually require suppliers to issue 72-hour preliminary notifications under UK GDPR plus ongoing weekly updates during incident response, not silence followed by an 18-month letter. Sixth, share Qilin and Conti-lineage IOCs with NHS England's CSOC and the regional CSIRTs so that any successor brand hitting one trust raises the alert across the others.
How does this compare to other 2024-2025 healthcare ransomware events?
Synnovis sits in a clear pattern. Change Healthcare in February 2024 produced a 192.7 million-person breach disclosure through a single supplier; Ascension Health in May 2024 produced a 5.6 million-record breach through a phishing-based intrusion at the principal; Kettering Health in May 2025 produced a 1.7 million-record breach with a 41-day Interlock dwell time inside the principal's network. Synnovis is distinctive because the operational disruption ran through a supplier that the affected trusts did not control. Patient-fatality attribution at King's College Hospital is the rarest characteristic in the corpus; the others produced revenue impact and care delay but no publicly attributed clinical mortality. For the NHS specifically, the Synnovis case prompted NHS England to publish a 2025 cyber-resilience directive requiring trusts to map clinical-criticality tiers for all suppliers and to incorporate ransomware scenarios into routine business-continuity exercises. The Information Commissioner's Office has not yet announced regulatory enforcement against Synnovis, but the 18-month notification timeline is the kind of factor that informs the proportional-monetary-penalty calculations under UK GDPR. Procurement teams across NHS trusts are now revising contractual breach-notification clauses to specify weekly progress updates rather than only the regulatory minimum.
How Safeguard Helps
Safeguard maps each clinical SaaS, lab system, and managed pathology platform to the SBOM and CVE footprint of every dependency it ships with, so an Ivanti, Citrix, or FortiOS disclosure immediately surfaces which suppliers in your tier-zero list are exposed. Griffin AI performs reachability analysis on supplier remote-access pathways, telling you which Synnovis-class vendors expose management consoles to the internet versus those that have been moved behind zero-trust access. TPRM workflows score upstream vendors against the CISA Secure by Design pledge, NHS DSP Toolkit, and ISO 27001 supplier-management clauses, and flag any partner who misses a 72-hour breach-notification SLA. Policy gates block deployments that integrate a vendor below your minimum maturity baseline, and ingest Qilin and Agenda IOCs from CISA, NCSC, and your sector ISAC so that responders see one prioritised supplier-impact view while pathology operations are still recovering.