Lessons from the Synnovis Cyberattack: Why Third-Party Risk is Patient Risk

The Synnovis ransomware attack wasn’t just another headline; it was a clear warning of how quickly supplier cyber risk can become patient risk. In this blog, we explore what the incident reveals about third-party assurance and share practical steps you can take now to protect patients by tightening your supply chain security.

The Synnovis attack wasn’t "just an IT issue"

Back in June 2024, Synnovis a major NHS pathology services provider was hit by a ransomware attack. The operational impact was immediate and widespread. Hundreds of GP practices and several large hospital trusts within the London area, lost access to routine blood testing and diagnostics, forcing teams to switch to manual workarounds. Thousands of outpatient appointments and elective procedures were postponed. What would have been a technical disruption quickly became a clinical one.

Over time, the story got worse, not better. Investigations confirmed that a significant volume of sensitive patient data was stolen, including identifiable information linked to lab results. The restoration effort was long and complex, requiring months of rebuilds and forensic analysis. And the terrible news the disruption had been formally linked to at least one patient death.

If you want a single sentence takeaway from Synnovis, it’s this: supply-chain cyber risk is patient safety risk.

Why attackers go after suppliers

There’s a pattern here that any company in UK should take seriously. Cyber criminals increasingly target suppliers instead of the 'big organisations' such as the NHS directly. The NHS is a hardened target: big security teams, national oversight, public scrutiny. Suppliers are different. They might be smaller, more stretched, or operating with a patchwork of legacy systems. Yet they often sit on privileged access to NHS data and workflows.

In the Synnovis case, this “weakest link” strategy was painfully clear. Pathology is a critical dependency for frontline care, but Synnovis isn’t an NHS trust, it’s a partner organisation. That doesn’t matter to ransomware operators. They follow the access and the leverage.

And pathology isn’t unique. Think about, digital triage tools, appointment platforms, imaging services, outsourced SOCs, transcription providers, and cloud hosting partners. Any one of them failing can create a knock-on clinical risk.

What “good” third-party assurance actually looks like

Most NHS organisations know they should assess suppliers. The gap is what that assessment looks like in practice.

A robust third-party assurance programme goes beyond a one-off questionnaire. It focuses on evidence, proportionality, and repeatability:

1. Start with an inventory you trust

   You can’t manage supplier risk if you don’t know who your suppliers are. Maintain a live list of vendors, including subcontractors where relevant. Map each to the systems they touch and the data they process.

2. Tier suppliers by patient impact

   Not all suppliers carry the same risk. A marketing platform and an outsourced lab system aren’t comparable. Rating suppliers by the sensitivity of data and criticality of service helps you spend effort where it matters most.

3. Verify security posture, don’t just accept it

   Ask for proof of controls. For example:

   • How is patient data encrypted at rest and in transit?

   • What phishing training and simulation do staff complete?

   • What’s the patching SLA for critical vulnerabilities?

   • Is MFA enforced for all privileged accounts?

   • What logging and monitoring is in place?

   • Have they had a pen test in the last 12 months — and will they share the summary?

4. Contract for security, not hope

   Security expectations should be written into contracts. This includes minimum standards, audit rights, breach notification timelines, and obligations to flow requirements down to subcontractors.

5. Re-assess on a schedule

   Cyber risk changes quickly. A supplier you trusted last year might have new ownership, new infrastructure, or a worse threat landscape today. Annual or biannual reviews are table stakes for critical vendors.

Cyber Essentials Plus as a practical benchmark

One of the most useful UK health-sector yardsticks is Cyber Essentials Plus (CE+). NHS Supply Chain has been increasingly clear that in-scope suppliers should hold CE+ or demonstrate equivalent controls. CE+ matters because it isn’t just self-attestation. It includes independent technical verification of baseline cyber hygiene.

Is CE+ perfect? No. It won’t stop a determined adversary on its own. But it does show that the fundamentals, patching, secure configuration, malware protection, access control, boundary defence are in place and tested.

For digital health vendors, CE+ is increasingly becoming a “trust signal” in procurement. For trusts and ICBs, it’s a fast way to filter out suppliers that haven’t even cleared the first fence.

If you’re a supplier handling clinical systems or patient data and you don’t yet have CE+, now is the time to treat it as a strategic priority, not a box-ticking exercise.

Incident response must include your suppliers

Synnovis also teaches another hard lesson: even strong internal response plans fail if your vendor relationships aren’t part of the playbook.

Make sure your incident response plan covers:

• Named contacts at each critical supplier

• Agreed escalation routes and comms channels

• How evidence and timelines will be shared

• Who leads joint decision-making during outages

• How patient-safety impacts are tracked and mitigated

When a supplier goes down, time is clinical currency. You don’t want your first conversation to be, “Who do we even call?”

What changes next for the NHS supply chain

Regulators are moving in the same direction as attackers — they’re looking at the supply chain. The UK Cyber Security and Resilience Bill, now introduced to Parliament, aims to tighten cyber obligations for essential services and their suppliers. For NHS-linked organisations, this will likely mean more formal assurance, clearer accountability, and less tolerance for “we’re working on it” security gaps.

The NHS cyber strategy to 2030 also stresses the need for shared standards and resilience across partners. The policy winds are behind stronger vendor governance, and Synnovis gives the human reason why.

How Periculo can help

At Periculo, we work with health and care organisations to make third-party assurance practical — not painful. That includes onboarding checks for new vendors, risk-tiering across existing supply chains, and ongoing monitoring that’s proportionate to patient impact.

If Synnovis showed us anything, it’s that assurance isn’t red tape. It’s clinical protection by another name.

If you’d like a quick review of your supplier risk posture or a roadmap to CE+/DSPT readiness we’re happy to help.