UK National Health Service links patient death to a ransomware
June 30, 2025 |
Health services, especially hospitals, are a prime target for cyber attackers. The defences are usually weak and the responses confused. The target of the attack is personal information but ransomware is a common method of extorting payment. But ransomware attacks can have dramatic consequences. The National Health Service in England has linked a ransomware attack in June 2024 on pathology laboratory services provider Synnovis as a contributing factor to the death of a patient. One of the contributing factors that led to the patient’s death was a long wait for a blood test result due to the cyberattack.
A Russian-speaking ransomware group Qilin claimed responsibility for the attack, which triggered a nationwide shortage of type O-negative blood. The attack disrupted Synnovis’ ability to perform a host of services, including blood testing, leading to the cancellation or postponement of 10,152 acute outpatient appointments and 1,710 elective procedures at the most affected NHS trusts – London’s King’s College Hospital and Guy’s and St. Thomas hospitals. It has been reported by the BBC in Ransomware attack contributed to patient’s death.
This is not the first fatality linked to a ransomware attack. In 2020 a patient in Germany died died during a cyber attack of a hospital in Dusseldorf. Wired has an excellent article regarding that very tragic event.
The BBC article provides:
The death of one person has been linked to a ransomware attack on NHS blood services at London hospitals and GP surgeries last June.
King’s College Hospital NHS Foundation Trust confirmed that one patient had “died unexpectedly” during the cyber attack on 3 June 2024, which disrupted more than 10,000 appointments.
A spokesperson for the trust said a number of contributing factors led to the patient’s death including “a long wait for a blood test result”.
Patient data managed by Synnovis, an agency which manages labs for NHS trusts and GPs in south-east London, was stolen during the incident.
A spokesperson for the trust said a detailed review had been undertaken of the patient’s care.
“The patient safety incident investigation identified a number of contributing factors that led to the patient’s death,” they said.
“This included a long wait for a blood test result due to the cyber-attack impacting pathology services at the time.
“We have met with the patient’s family, and shared the findings of the safety investigation with them.”
The spokesperson added they could not confirm the date of the death or the person’s age, citing confidentiality.
Mark Dollar, chief executive of Synnovis, said: “We are deeply saddened to hear that last year’s criminal cyber attack has been identified as one of the contributing factors that led to this patient’s death.
“Our hearts go out to the family involved.”
More than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected. A significant number of GP practices in London were unable to order blood tests for their patients.
The Health Service Journal (HSJ) reported there were nearly 600 “incidents” linked to the attack, with patient care suffering in 170 of these. One case was of “severe” harm, 14 led to “moderate” harm and the remaining were identified as “low harm”, HSJ said.
According to NHS guidance, severe harm occurs when patients either suffer permanent harm; need life saving care or could have reduced their life expectancy, among a number of other factors.
‘Not to blame’
Deryck Mitchelson, from cyber security firm Check Point, said the cyber attacks were more than just “disruption” as they caused “patient harm”.
Mr Mitchelson, formerly director of National Digital and chief information security officer for NHS National Services Scotland, said IT systems were only ever as secure as the weakest link in the chain.
“The death now confirmed is tragic, but it is not surprising. When systems that underpin diagnostics and treatment are brought down at scale, the consequences are not hypothetical. This is the real-world cost,” he said.
“This wasn’t a faceless act. It wasn’t just systems or data you targeted — it was care. It was people. One of them has now lost their life. That should weigh heavily.”