Patient death linked to cyber attack on NHS pathology provider
- 26 June 2025
- The first patient death linked to the cyber attack last year on NHS pathology system provider Synnovis has been confirmed
- A spokesperson for Kingās College Hospital NHS Foundation Trust said confirmed that "a number of contributing factors" to the death were identified, including a long wait for a blood test result" as a result of the cyber attack
- Synnovis chief executive Mark Dollar said the company is "deeply saddened" by the death
A patient death has been linked to the cyber attack on NHS pathology system provider Synnovis, Kingās College Hospital NHS Foundation has confirmed.
TheĀ ransomware attack on 4 June 2024Ā caused widespread disruption to NHS services in London, withĀ 10,152 acute outpatient appointments and 1,710 elective procedures postponed at Kingās College Hospital NHS Foundation Trust and Guyās and St Thomasā NHS Foundation Trust, and delays to blood testing in primary care.
A spokesperson for Kingās College Hospital told Digital Health News that one patientĀ died unexpectedly during the cyber attack.
“As is standard practice when this happens, we undertook a detailed review of their care.
āThe patient safety incident investigation identified a number of contributing factors that led to the patientās death.
āThis included a long wait for a blood test result as a result of the cyber attack impacting pathology services at the time.
“We have met with the patientās family and shared the findings of the safety investigation with them,ā the spokesperson said.
They added that the date of the death or personās age cannot be confirmed due to confidentiality.
Responding to the news, Mark Dollar, chief executive at Synnovis, said: āWe are deeply saddened to hear that last yearās criminal cyber attack has been identified as one of the contributing factors that led to this patientās death.
“Our hearts go out to the family involved.ā
Initial figures released by NHS South East London Integrated Care Board in November 2024, recorded five cases of moderate harm and 114 cases of low harm as a result of the attack, but did not report any cases of serious harm.
However, in January 2025 NHS data obtained by Bloomberg News revealed that healthcare professionals across at least four London boroughs recorded two cases of severe harm, 11 cases of moderate harm, and more than 120 cases of low harm as a direct consequence of the cyber attack.
Dr Saif Abed, founding partner and director of cybersecurity advisory services at The AbedGraham Group, told Digital Health News: “This tragedy, sadly, will not be unique and will be repeated again, likely at scale, in future unless political leadership re-prioritises the issue.
“I ask the health secretary to commission an independent, clinically focused review into NHS cybersecurity and patient safety.
“Likewise I ask the Health Select Committee to commence with an inquiry as a matter of urgency given the broken nature of the NHSās digital supply chain.”
Digital Health News reported that the cyber attack on Synnovis could have been prevented by two-factor authentication.
Meanwhile, suppliers to the NHS have been urged by NHS England and the Department of Health and Social Care to sign a charter of cyber security best practice.
The charter, published on 15 May 2025, requests suppliers to take steps which include maintaining support for systems, applying patches to known vulnerabilities, applying multi-factor authenticationĀ to networks and systems, and keeping āimmutable backupsā of critical business data.
In April 2025, the governmentĀ published its plans for the Cyber Security and Resilience Bill, whichĀ is intended to prevent attacks similar to theĀ Synnovis attack.
