Almost 33,000 Bedfordshire patients had data stolen in cyber attack
- 3 June 2026
- Bedfordshire Hospitals NHS Trust says data relating to almost 33,000 patients was stolen and published online following the 2024 Synnovis ransomware attack
- The compromised information may include names, dates of birth, NHS numbers, postcodes and test results
- The trust says there is currently no evidence the data has been accessed or misused
Bedfordshire Hospitals NHS Foundation Trust has revealed that almost 33,000 of its patients had personal data stolen and published online following a major ransomware cyber attack two years ago.
In a statement published on 1 June 2026, the trust said the stolen data came from administrative files rather than an operational database and may relate to historic test activity carried out before November 2020.
The trust said the data may relate to individuals who received laboratory or diagnostic tests at Bedford Hospital or Luton and Dunstable Hospital between 2011 and 2020.
The information involved may have included patients’ names, date of births, patient numbers, NHS numbers, postcodes and test results. Analysis by Synnovis suggests the stolen data related to approximately 32,927 individuals.
The ransomware attack on pathology supplier Synnovis occurred in June 2024, disrupting services across a number of NHS organisations. Nationally, the incident led to 10,152 acute outpatient appointments and 1,710 elective procedures being postponed.
The trust said, “because the stolen data was highly unstructured and fragmented, it took an extended period of technical analysis to determine what was taken and how it might relate to specific organisations and individuals”.
It added that “the supplier continues to monitor online forums where the material was published and has obtained a court injunction prohibiting third parties from accessing, sharing, publishing or misusing the stolen data”.
“While the data remains present in those places, publication alone does not mean that it has been used in a harmful way. At this time, we are not aware of any evidence that the information has been accessed or used inappropriately,” the statement said.
A spokesperson for Synnovis said: “While we understand that patients may be concerned, expert advice indicates that the risk to individuals is low.
“The fragmented and complex nature of the stolen data means significant specialist time and effort is required to access it, which is a strong deterrent to anybody with ill-intent.
“Nevertheless, we exhausted every measure available to us to minimise harm to patients, including successfully applying for an injunction to restrict the further sharing of this data.”
As a precaution, the trust recommends patients “remain alert to any unexpected communications asking for personal information”, “avoid clicking on links or opening attachments from unknown sources”, and “be cautious of unsolicited calls, emails or texts that reference your information”.
The statement added: “We recognise that news of a cyber-incident involving a supplier may be concerning.
“While this incident did not occur within our own systems, we take the protection of personal data seriously and are committed to ongoing oversight of our suppliers and the security arrangements in place.”
Cyber security expert Saif Abed, founding partner at the AbedGraham Group, told Digital Health News that “a two-year delay is unacceptable across all parties involved”.
“Additionally, the reassurances provided about the ease with which the compromised data can be analysed and used to identify patients do not chime with the known capabilities of adversaries that now have this type of data.
“NHS patient data is now out there and subject to extensive misuse without any recourse for those affected or any confidence that this will not simply happen again,” he added.
Last year, Abed called for a public inquiry into the Synnovis ransomware attack.
