Alexander Martin reports:
More than 11 months after a ransomware group published information from a U.K. pathology services company, the affected patients still have not been informed about what data of theirs was exposed in the incident, with material about sexually transmitted infections and cancer cases being included in the leaks.
The data was compromised during an attack by the Qilin cybercrime group against London-based Synnovis last June. The attack severely disrupted care at a large number of National Health Service (NHS) hospitals and care providers in London.
Synnovis maintains an information page about the incident, but it still has not provided an estimate of the number of patients impacted, nor a detailed list of what data was published by the criminals.
Read more at The Record.
Comment: It is not clear to DataBreaches from the reporting or Synnovis’s statement whether Synnovis will be notifying the organizations who will then notify their patients, or if Synnovis will also be directly notifying affected patients, although the former seems more likely. What is also not clear at this time is why Synnovis has not been using a “rolling” notification process whereby patients are notified as soon as their data has been confirmed as affected. That way, at least a significant percentage of patients might have been notified by now. Perhaps the absence of a hard deadline for notification takes pressure off entities to notify more quickly?