Synnovis confirms data published by Qilin Ransomware gang is legitimate

Last week, the Qilin ransomware gang published a subset of data on its leak site as proof of hacking into Synnovis’ systems. Now, the London-based pathology services provider has confirmed the legitimacy of the breach, stating that the data is from its administrative storage drive and includes fragments of patient-identifiable information.

On Friday, hackers associated with the Russian-linked Qilin ransomware gang released approximately 400 gigabytes of sensitive patient data. This data reportedly includes names, dates of birth, NHS numbers, and descriptions of blood tests stolen from Synnovis’ systems.

Following the data leak on the dark web, Synnovis confirmed on Monday that the published data is genuine. However, the company noted that it is still too early to determine the full extent of the compromised information.

Synnovis confirmed the following key points :-

• There was no evidence that the Laboratory Information Management Systems (the software that supports laboratory operations) databases had been posted. These are the main systems holding the patient test requests and results.

• However, our administrative working drive has been posted in partial and fragmented form. This will contain some fragments of patient identifiable data. Understanding this is our current priority.

• The area where we store payroll information has not been published, but more needs to be done to review other data that has been published relating to our employees. 

They went on to state “We and the technical experts who are supporting us are working as fast as we can to try to be able to confirm more details and appreciate that waiting will potentially cause people some concern. We will keep our service users, employees and partners updated as the investigation progresses.”

NHS England has acknowledged Synnovis’ initial analysis, confirming that the published data did indeed originate from their systems. According to NHS England, the complexity of these investigations means it could take weeks to identify all impacted individuals.