Bedfordshire Hospitals NHS Foundation Trust has issued a public notification disclosing that personal data relating to approximately 32,927 patients was among material stolen during the 2024 Synnovis ransomware attack.
The Trust confirmed that the data was extracted during a ransomware attack on Synnovis - a pathology services provider - in June 2024, which affected multiple NHS organisations. Criminals unlawfully accessed Synnovis's internal systems and subsequently published stolen files on online forums associated with data theft.
The Trust said that the delay between the attack and the notification was a result of the highly fragmented nature of the stolen data. Because the files were not held in a structured database format, it took specialist forensic teams more than a year to reconstruct and analyse the material to determine which organisations and individuals were affected.
Bedfordshire Hospitals was informed by Synnovis in October 2025 that data relevant to its patients had been identified. The Trust conducted its own review of the material before deciding to publish the notification.
The data involved originated from internal administrative files rather than operational clinical records, and is understood to relate to laboratory and diagnostic test activity at Bedford Hospital and Luton and Dunstable University Hospital between 2011 and 2020. The information potentially includes names, dates of birth, patient numbers, NHS numbers, postcodes and test results. The Trust said that the data's fragmented and incomplete nature significantly limits how easily it could be interpreted or linked to individuals.
The Trust said it has notified the Information Commissioner's Office (ICO) and has also liaised with the NHS England Information Governance team. Synnovis has obtained a court injunction prohibiting third parties from accessing, sharing or distributing the stolen material, and continues to monitor the online forums on which it was published.
The Trust said there is currently no evidence that the data has been accessed or misused. It described the residual risk to affected individuals as low, though it warned that limited risk of unsolicited contact or phishing attempts remains.
Patients who may be affected are advised to remain alert to unexpected communications requesting personal information, to avoid clicking on links or opening attachments from unknown sources, and to be cautious of unsolicited calls, emails or texts referencing their details.
Further information on the Synnovis cyber incident is available at www.england.nhs.uk/synnovis-cyber-incident/.
