A cyberattack that caused disruption at hospitals in London last year contributed to the death of a patient, health officials have confirmed for the first time.
The incident occurred after a Russian hacking gang in June 2024 targeted Synnovis, a contractor that provides blood testing, transfusion and other pathology services to the UK’s National Health Service, or NHS. The breach triggered a major crisis at health-care providers predominantly in the southeast of the city.
One of the affected NHS hospital groups, the King’s College Hospital NHS Foundation Trust, said in a statement Wednesday that the hack was a contributing factor in the death of a patient. The incident represents the first known case in which health officials have publicly confirmed that a cyberattack has caused or contributed to a death.
Read more: NHS Cyberattack in UK Inflicted Long-Term Harm on Patient Health
“One patient sadly died unexpectedly during the cyberattack,” said a spokesperson for the King’s College NHS trust. The trust carried out an investigation into the patient’s death and found that a long wait for a blood test result due to the cyberattack was a contributing factor, the spokesperson added.
Attackers infected Synnovis’ computers with ransomware, which encrypted files stored on the company’s systems and rendered them inoperable. That led to months of disruption at hospitals and doctors’ surgeries. According to the NHS, medical facilities were forced to postpone more than 10,000 appointments and cancel more than 1,700 elective procedures.
“We are deeply saddened to hear that last year’s criminal cyberattack has been identified as one of the contributing factors that led to this patient’s death,” said Synnovis Chief Executive Officer Mark Dollar in a statement. “Our hearts go out to the family involved.”
Doctors had recorded two cases of “major harm” linked to the hack, in addition to 11 cases of moderate harm and 120 cases of minor harm, Bloomberg News reported in January. Details about the specific damage to individuals’ health wasn’t available due to patient confidentiality. It’s unclear when health officials established that the patient death had been linked to the hack.
Saif Abed, a former NHS doctor and expert in cybersecurity, said that the case amounted to the first publicly acknowledged death linked to a cyberattack involving a health provider anywhere in the world. He called on the UK government to commission an independent review into the NHS’s cybersecurity and patient safety.
“Cyberattacks have long been recognized as a threat to patient safety but now we have tragic evidence of that fact,” he said.
