Data Incident – Synnovis

Published: 31 December 2025

Details of the incident

North Cumbria Integrated Care NHS Foundation Trust works with an organisation called Synnovis, who test blood and other samples for us and share the results with the NHS staff caring for you.

In June 2024, Synnovis was the victim of a cyber-attack that significantly disrupted Synnovis’ services across the UK and resulted in some stolen data being published. Synnovis took urgent steps to limit the impact, including obtaining an injunction to prevent further publication of the data.

Because this stolen data was so fragmented and complex in its content, it took a long time for experts to piece it together and check whether it related to an individual.

In November 2025, Synnovis let us know that the stolen data included information from North Cumbria Integrated Care NHS Foundation Trust.

Data which has been impacted

Among the patients affected by this incident, the impacted data varies, but could include:

NHS number, hospital number or patient number
names
date of births
other information such as contact details and age group (sometimes incomplete - for example just a postcode)
health information needed to request the test, for example a code to show what the test was for
no information about actual test results was found for this organisation

We are very sorry this cyber-attack has impacted our patients. We want to reassure you that experts have confirmed it would be very difficult for criminals to:

understand the data - because it was in lots of fragments and took experts months to piece together

Steps we and Synnovis have taken to protect you

We take the security and privacy of your data very seriously. Please be assured that Synnovis took urgent actions to limit the effects of the cyber-attack on our patients.

This included:

working with the National Cyber Security Centre, the NHS and the National Crime Agency to respond to the criminal ransomware attack on Synnovis systems;
reporting the incident to the Information Commissioner’s Office (ICO);
getting a legal injunction to stop anyone accessing, sharing, publishing or misusing the stolen data.

In addition, we have taken the following actions:

looked at a copy of the stolen data that relates to our patients to understand who it impacted, how easily they could be identified from the data and considered whether there were any additional steps that patients could take to protect themselves;

reported what has happened to the ICO.

Steps you can take to protect yourself

When a personal data breach happens, sometimes criminals can use the stolen data in a way that could be harmful to you. There are however steps you can take to protect yourself. What they can do depends on the data that has been stolen.

A criminal could use names addresses and date of births to steal someone’s identity to commit fraud. For example, getting a financial credit in your name. The ICO has guidance on what signs to look out for that may mean you are the victim of identity fraud and what you can do.

The National Cyber Security Centre has produced cyber security guidance to help protect you and your family.

Contacting you

We are not contacting all individuals who have been impacted separately because we don’t have an easy way to ensure that all the contact details we hold are correct and up to date. It would also take a lot of time for us to do this, and we wanted to let you know what has happened more quickly.

Instead, we are publishing this information on our website.

Further information and support

Further information about this incident is available:

We understand that you may have questions or concerns about this incident. You can find out more information on the website pages above, in the answers to frequently asked questions

You can contact the Trust on 01228 603961.

You can email us at: DPO@ncic.nhs.uk.

You can write to us at: Data Protection Officer, North Cumbria Integrated Care NHS Foundation Trust, The Pillars Building, Cumberland Infirmary. Newtown Road, Carlisle CA2 7HY

The ICO has provided guidance on what to do if you are unhappy with how we have responded to your concerns. If you contact the ICO, please include the reference ‘Synnovis Incident’.

Return to News

Please note: we cannot respond to anything you leave in your feedback about this webpage. If you have concerns about your health or an appointment, please contact our support and advice (PALS) team.

Was the information on this page helpful? Required

How could we improve the information?

I agree to the privacy policy.

Data Incident – Synnovis

Details of the incident

Data which has been impacted

Steps we and Synnovis have taken to protect you

Steps you can take to protect yourself

Contacting you

Further information and support

Give feedback

Accessibility tools

Winter Patient Information

Stay well this winter

Support and advice (PALS)

Your hospital stay

How we're run

Be involved

Annual members' meeting

Building projects and innovation

Publications

Our strategies

Equality, diversity and inclusion (EDI)

Research and innovation