Cyber Incident Victim: Mid and South Essex NHS Foundation Trust

In June 2024 a cyber attack compromised the computer drives of the third‑party testing provider Synnovis, which analyses blood, urine and tissue samples for NHS organisations. The attack resulted in the theft of patient test result data that was later published on the dark web. Mid and South Essex NHS Foundation Trust (MSE) was notified of the breach in December 2024 and confirmed that 2,380 records belonging to its patients had been taken. A Russia‑based cyber‑criminal group known as Qilin has previously admitted responsibility for the attack, which also affected a number of London hospitals that relied on Synnovis for testing and IT systems.

The stolen information could include names, dates of birth, patient numbers, NHS numbers, postcodes and test results, although MSE noted that some of the data is not directly linked to patients and that exact numbers are still being verified. Bedfordshire Hospitals NHS Foundation Trust disclosed that almost 33,000 of its patients had their data stolen in the same incident, indicating the broader scope of the breach. MSE stated that it would contact any individuals whose data had been taken once the exact affected patients are identified. The trust emphasized that the breach did not involve its own systems but originated from the external provider.

Following the breach, Synnovis conducted a lengthy review of the stolen data and said it had notified all affected NHS trusts, leaving individual trusts responsible for informing patients. MSE’s deputy chief executive, Dawn Scrafield, said the records affected relate to a mixture of specialist diagnostic tests. At a recent board meeting the trust reported that it had brought in cyber security experts to strengthen its own systems despite the data not residing on MSE networks. Synnovis’s chief executive, Mark Dollar, said the company was offering its full support to the organisations affected by the incident.