cyber-crime
Two years on from ransomware attack, hospitals are still trying to identify and warn patients
The patient tally from the Synnovis ransomware attack continues to grow two years later, with Mid and South Essex NHS Foundation Trust confirming it was caught up in the breach.The trust told The Register that the Synnovis breach affected about 2,380 records relating to patients who underwent specialist diagnostic testing.The disclosure follows a similar announcement by Bedfordshire Hospitals NHS Foundation Trust, which earlier this month said that almost 33,000 patient records had been caught up in the same breach.
According to Mid and South Essex, some of the compromised data cannot yet be directly linked to individual patients, meaning the trust is still unable to determine the final number of people affected. It also said the precise time period covered by the stolen records has yet to be established, although patients tested after June 3, 2024, the day of the attack, were not affected.
"We are still waiting for confirmation on exact numbers," Dawn Scrafield, deputy chief executive of Mid and South Essex, told The Register. "Once we have established who those patients are, we will be in contact with any who have been affected."The disclosure highlights the drawn-out fallout from the attack. Synnovis told us it completed its forensic review by the end of last summer and said it had notified all affected organizations by November. However, Mid and South Essex said it was only informed in December 2025 and is still trying to work out exactly which patients are tied to the compromised records six months later."Any decision on patient notification, including the number of patients to be notified, is made by the affected organization as part of their assessment," a Synnovis spokesperson said in a statement. "Synnovis, as the Processor of the data, is not involved in any of the assessments regarding if, when or how many patients a Controller determines necessary to notify."
