Cyberattack on UK Health Firm Contributed to Patient Death

A cyberattack that caused disruption at hospitals in London last year contributed to the death of a patient, health officials have confirmed for the first time.

The incident occurred after a Russian hacking gang in June 2024 targeted Synnovis, a contractor that provides blood testing, transfusion and other pathology services to the UK’s National Health Service, or NHS. The breach triggered a major crisis at health-care providers predominantly in the southeast of the city.

One of the affected NHS hospital groups, the King’s College Hospital NHS Foundation Trust, said in a statement Wednesday that the hack was a contributing factor in the death of a patient. The incident represents the first known case in which health officials have publicly confirmed that a cyberattack has caused or contributed to a death.

“One patient sadly died unexpectedly during the cyberattack,” said a spokesperson for the King’s College NHS trust. The trust carried out an investigation into the patient’s death and found that a long wait for a blood test result due to the cyberattack was a contributing factor, the spokesperson added.

Attackers infected Synnovis’ computers with ransomware, which encrypted files stored on the company’s systems and rendered them inoperable. That led to months of disruption at hospitals and doctors’ surgeries. According to the NHS, medical facilities were forced to postpone more than 10,000 appointments and cancel more than 1,700 elective procedures.

“We are deeply saddened to hear that last year’s criminal cyberattack has been identified as one of the contributing factors that led to this patient’s death,” said Synnovis Chief Executive Officer Mark Dollar in a statement. “Our hearts go out to the family involved.”

Doctors had recorded two cases of “major harm” linked to the hack, in addition to 11 cases of moderate harm and 120 cases of minor harm, Bloomberg News reported in January. Details about the specific damage to individuals’ health wasn’t available due to patient confidentiality. It’s unclear when health officials established that the patient death had been linked to the hack.

Saif Abed, a former NHS doctor and expert in cybersecurity, said that the case amounted to the first publicly acknowledged death linked to a cyberattack involving a health provider anywhere in the world. He called on the UK government to commission an independent review into the NHS’s cybersecurity and patient safety.

“Cyberattacks have long been recognized as a threat to patient safety but now we have tragic evidence of that fact,” he said.

The hackers responsible for the attack on Synnovis, who use the name Qilin, told Bloomberg News in a June 2024 interview that they had demanded $50 million from the company. They refused to accept responsibility for the human cost of their breach, and suggested their attack was justified as retaliation for the British government’s involvement in unspecified wars. The hackers subsequently dumped online a trove of confidential medical data they had stolen from Synnovis’ computers.

It’s rare for health-care organizations to publish data on harms caused to patients as a result of cybersecurity incidents. In a separate attack on Ireland’s hospitals in 2021, for instance, Irish health executives said they didn’t have numbers on specific harms inflicted, though scores of patients had treatments for cancer and other serious conditions postponed.

Following a ransomware attack on a hospital in Alabama in 2019, a woman filed a lawsuit alleging that disruption to medical systems caused by the hack led to the death of her baby because doctors were unable to assess fetal monitoring results, which showed the child was in distress during the birth. The hospital later settled the suit.

Photograph: Details of the National Health Service are seen on the side of an emergency ambulance on March 13, 2025 in High Wycombe, England. (Photo by Ben Montgomery/Getty Images)

Related: