The patient tally from the Synnovis ransomware attack continues to grow two years later, with Mid and South Essex NHS Foundation Trust confirming it was caught up in the breach.

The trust told The Register that the Synnovis breach affected about 2,380 records relating to patients who underwent specialist diagnostic testing.

The disclosure follows a similar announcement by Bedfordshire Hospitals NHS Foundation Trust, which earlier this month said that almost 33,000 patient records had been caught up in the same breach.

According to Mid and South Essex, some of the compromised data cannot yet be directly linked to individual patients, meaning the trust is still unable to determine the final number of people affected. It also said the precise time period covered by the stolen records has yet to be established, although patients tested after June 3, 2024, the day of the attack, were not affected.

"We are still waiting for confirmation on exact numbers," Dawn Scrafield, deputy chief executive of Mid and South Essex, told The Register. "Once we have established who those patients are, we will be in contact with any who have been affected."

The disclosure highlights the drawn-out fallout from the attack. Synnovis told us it completed its forensic review by the end of last summer and said it had notified all affected organizations by November. 

However, Mid and South Essex said it was only informed in December 2025 and is still trying to work out exactly which patients are tied to the compromised records six months later.

"Any decision on patient notification, including the number of patients to be notified, is made by the affected organization as part of their assessment," a Synnovis spokesperson said in a statement. "Synnovis, as the Processor of the data, is not involved in any of the assessments regarding if, when or how many patients a Controller determines necessary to notify."

The company said it does not believe the stolen information presents a high risk to individuals because of its fragmented nature, but acknowledged that affected organizations are still assessing what was taken and whether patients should be contacted.

The breach was one of the most disruptive cyber incidents ever to hit the NHS. The Qilin attack crippled pathology services across south east London, forcing hospitals to cancel thousands of appointments and operations while clinicians struggled with delays to blood testing and transfusion services.

Patient data was later published online after the gang's extortion attempt failed.

However, the fallout wasn't limited to canceled operations and delayed blood tests. Last year, King's College Hospital NHS Foundation Trust confirmed that delays caused by the outage contributed to the death of a patient, marking one of the first officially acknowledged fatalities linked to a ransomware attack. ®