Mid and South Essex NHS Foundation Trust (MSE), which is responsible for sites in Chelmsford, Basildon and Southend, is to contact an unspecified number of its patients whose personal data was stolen in the 2024 Qilin ransomware attack on NHS lab services partner Synnovis.
The incident caused chaos across parts of the NHS, with hospitals in South London particularly badly affected, and led to thousands of cancelled outpatient appointments and elective procedures. The Qilin gang later published over 400GB of sensitive data taken from the various NHS bodies to which Synnovis provides testing services.
However, while the basic facts of the incident were quickly established, it took nearly 18 months for Synnovis to complete its full forensic investigation and to begin to inform downstream NHS organisations that their patients’ data were compromised. MSE was among those bodies informed towards the end of 2025, and it has since conducted its own investigation into the breach.
MSE deputy chief executive Dawn Scawfield said: “Records relating to patients who had a mixture of specialist diagnostic tests were affected. Some data is not directly linked to patients, so we are still waiting for confirmation on exact numbers. Once we have established who those patients are, we will be in contact with any who have been affected.”
At the time of writing, Computer Weekly understands that approximately 2,380 records are involved, and that while the exact time period during which the affected tests were conducted is yet to be determined, all of the exposed data relate to tests taken before 3 June 2024, the approximate date of the Synnovis attack.
Number of breaches may widen
At this point in time, it is not publicly known how many other NHS Trusts are impacted, although it is thought likely that others will come forward.
Last week Bedfordshire Hospitals NHS Foundation Trust revealed that data on just under 30,000 patients, including names, birthdates, patient and NHS numbers, postcodes and test results was stolen.
In this instance, the data appear to be from historic testing done prior to November 2020 – however, the Trust said, the records themselves are fragmented, incomplete, and dispersed throughout multiple files, so it is hard to interpret it accurately.
Lee Sult, chief investigator at Binalyze, a threat intelligence platform, said the most worrying aspect of the Synnovis incident was the length time that it has taken to establish the true nature and extent of the stolen data.
“If we’re still trying to determine the true scale two years later, it’s less an investigation than a slow-burn crisis. Every month that passes is time NHS numbers, names, dates of birth and test results sit in criminal hands – and nobody knows what’s being done with them,” he said.
“Perhaps the most dangerous aspect of these timelines is the signal they send. Slow detection, fragmented investigations and delayed disclosures advertise weakness. State-backed threat actors and organised cyber criminal groups act based on opportunity. Slow response in a data-rich industry is a clear signal that attacks can be carried out without consequence for years.”
