What Happened
On June 3, 2024, the Qilin ransomware group attacked Synnovis, a pathology services provider that processes blood tests and manages blood transfusion services for major London NHS hospitals including Guy’s and St Thomas’ and King’s College Hospital. The attack disrupted pathology and blood services for months, forcing hospitals to cancel thousands of operations and appointments and triggering a critical blood supply shortage in London.
Impact on Patients
Blood tests could not be processed electronically, forcing hospitals to revert to manual processes. Blood transfusions were severely impacted as hospitals could not cross-match blood types using normal systems. An urgent appeal for O-type blood was issued because hospitals defaulted to universal donor blood (O-negative) when they could not determine patient blood types. Over 10,000 acute outpatient appointments and approximately 1,700 elective procedures were postponed in the first weeks. Emergency surgeries were diverted to unaffected hospitals.
Some services took over three months to fully restore. The backlog of cancelled appointments and operations created cascading delays across the London healthcare system. Mental health and community health services were also affected.
How They Got In
Qilin is a ransomware-as-a-service operation that has targeted healthcare organizations globally. The specific initial access vector for the Synnovis attack has not been publicly confirmed, but Qilin typically uses compromised credentials and phishing for initial access, employs double extortion through data theft followed by encryption, and targets organizations with limited cybersecurity resources.
Synnovis is a joint venture between Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospital, and SYNLAB, a European laboratory diagnostics company.
Exposed Data
Qilin published stolen data on its dark web leak site, reportedly including patient names and dates of birth, NHS numbers, blood test results and pathology reports, and internal Synnovis business data. The full scope of data exposure has not been publicly confirmed.
Timeline
Qilin ransomware was deployed on Synnovis systems on June 3, 2024. That same day, Synnovis declared a critical incident and blood services were disrupted. NHS Blood and Transplant issued an urgent appeal for O-type blood donors on June 4. Thousands of appointments and operations were cancelled across London throughout June. Qilin published stolen data on their dark web leak site on June 20. Partial restoration of some pathology services occurred in July. Most services were restored by September 2024, but the backlog remained.
Healthcare Sector Implications
The attack demonstrated that attacks on healthcare supply chain providers like pathology, radiology, and pharmacy services can be as devastating as attacks on hospitals directly. The blood supply disruption created a direct risk to life as patients requiring emergency transfusions faced delays. NHS England accelerated cybersecurity investment and reviewed the security posture of all critical third-party healthcare providers. The attack occurred one week before a UK general election, raising concerns about healthcare infrastructure resilience.
Key Lessons
Third-party healthcare providers are critical infrastructure and require the same security standards as hospitals. Blood services and pathology are single points of failure for hospital operations, and business continuity planning must include extended outage scenarios. Healthcare ransomware is not just a data breach but a patient safety incident with potential loss of life. Manual fallback procedures must be regularly tested, as hospitals that had practiced manual blood typing were better prepared.