Back to Knowledge Vault

Essex NHS hospitals: 2,380 patient records compromised in Synnovis cyber attack

Mid and South Essex NHS Foundation Trust has confirmed around 2,380 patient test records were stolen via third-party diagnostics provider Synnovis, as the fallout from the June 2024 Qilin ransomware attack continues to widen.

Mid and South Essex NHS Foundation Trust (MSE) has confirmed that around 2,380 patient test records were compromised in the cyber attack on diagnostics provider Synnovis, becoming the latest NHS organisation to surface in the long tail of the June 2024 Qilin ransomware incident.

What happened

The trust, which runs Southend Hospital along with Basildon and Broomfield, and provides services at sites in Braintree, Maldon and Orsett, was notified of the breach in December 2025. The data sat with Synnovis, the third-party pathology provider, not on the trust’s own systems.

Dawn Scrafield, deputy chief executive for Mid and South Essex NHS Foundation Trust, said records relating to patients who had a mixture of specialist diagnostic tests were affected, and that some data is not directly linked to patients, so final numbers are still being confirmed. The trust said it will contact affected patients once they have been identified.

What data was exposed

According to Synnovis, the stolen information could include:

• Names
• Dates of birth
• NHS numbers
• Postcodes
• Test results

Patients tested after 3 June 2024 are not believed to be affected. While the breached data did not come from the trust’s own systems, MSE has brought in external cyber security experts to support the response.

The attack chain

Synnovis was hit by a ransomware attack on 3 June 2024, disrupting pathology services across multiple London and South East NHS organisations and significantly reducing its capacity to process tests. On 20 June 2024, the attackers published stolen data files online. A Russia-linked cyber-criminal group known as Qilin previously claimed responsibility.

Eighteen months on, downstream trusts are still working out exactly which of their patients appear in the leaked files. MSE is one of several NHS organisations now confirming exposure as the review of the dumped data continues.

Why this matters

This is, at heart, a supply chain breach. The trust did not lose control of its own infrastructure; it lost control through a service provider that aggregates sensitive data on its behalf. Pathology in particular concentrates highly identifying information, including NHS numbers and clinical results, in a small number of processing labs. When one of those labs is compromised, the impact lands across dozens of providers and millions of patients.

The harm is also long lived. Names, dates of birth and NHS numbers do not expire. Once they are in criminal hands they fuel identity fraud, targeted phishing and insurance abuse for years, regardless of how quickly the original incident is contained.

Protection through physical disconnection

The Synnovis incident is a textbook case for keeping a copy of irreplaceable records on infrastructure that simply cannot be reached over the wire. Live diagnostic workflows have to be online. The historical archive does not.

Firevault stores sensitive records on a Layer 1 physically disconnected vault, governed by the VPPP framework (Vault, Policy, Permissions, Purpose). The vault is only connected when an authorised action is taking place, and is otherwise unreachable by any remote attacker, including ransomware operators with valid credentials. A copy of patient records held this way would still exist, intact and uncopied, on the day a third-party processor is breached.

As Mark Fermor, Director and Co-Founder of Firevault, has set out repeatedly: the lesson from incidents like Synnovis is not more layers of online defence, it is removing the most sensitive records from the attack surface altogether.

Key takeaways

• Supply chain is the perimeter. An attack on a diagnostics processor became a breach for every trust that relied on it.
• Patient PII has a long shelf life. NHS numbers and dates of birth do not rotate; the harm window is measured in years.
• Breach notification lags reality. Patients are being identified eighteen months after the initial intrusion.
• Online defence alone is not enough. An archival copy held offline, on a physically disconnected vault, cannot be exfiltrated in the same event.
• Third-party due diligence matters. Where critical data is processed by a single provider, concentration risk needs to be priced in.

Source: Braintree & Witham Times — Essex NHS hospitals records compromised in cyber attack.

Share this article