Cyber Incident Victim: Bedfordshire Hospitals NHS Foundation Trust

In June 2024 a cyber attack attributed to the Russia‑based criminal group Qilin compromised the computer drives of Synnovis, a third‑party provider that processes blood, urine and tissue samples for several NHS organisations. The attackers exfiltrated patient data that could include names, dates of birth, patient numbers, NHS numbers, postcodes and test results, and subsequently published the information on the dark web. Synnovis described the theft as having been carried out “in haste and in a random manner” and stated there was no evidence the data had been used maliciously. The incident affected a number of London hospitals that relied heavily on Synnovis for testing and IT systems.

Bedfordshire Hospitals NHS Foundation Trust disclosed that almost 33,000 of its patients had their data stolen in the same breach. Synnovis reported that it had notified all affected NHS trusts, leaving each trust responsible for informing individuals whose data had been taken. The trust confirmed it would be contacting those patients once the exact scope of the impact was established. Chief executive Mark Dollar of Synnovis said the company was offering “our full support” to the organisations affected by the attack.

Following the breach, Synnovis conducted a lengthy review of the stolen data and reiterated that the information had been posted on the dark web. The company emphasized that the data had been taken without apparent targeting and that no malicious use had been detected to date. Bedfordshire Hospitals NHS Foundation Trust, along with other impacted trusts, awaited further confirmation on the precise number of patients affected before proceeding with patient notifications.