Ransomware attack contributed to patient's death

The death of one person has been linked to a ransomware attack on NHS blood services at London hospitals and GP surgeries last June.

King's College Hospital NHS Foundation Trust confirmed that one patient had "died unexpectedly" during the cyber attack on 3 June 2024, which disrupted more than 10,000 appointments.

A spokesperson for the trust said a number of contributing factors led to the patient's death including "a long wait for a blood test result".

Patient data managed by Synnovis, an agency which manages labs for NHS trusts and GPs in south-east London, was stolen during the incident.

A spokesperson for the trust said a detailed review had been undertaken of the patient's care.

"The patient safety incident investigation identified a number of contributing factors that led to the patient's death," they said.

"This included a long wait for a blood test result due to the cyber-attack impacting pathology services at the time.

"We have met with the patient's family, and shared the findings of the safety investigation with them."

The spokesperson added they could not confirm the date of the death or the person's age, citing confidentiality.

Mark Dollar, chief executive of Synnovis, said: "We are deeply saddened to hear that last year's criminal cyber attack has been identified as one of the contributing factors that led to this patient's death.

"Our hearts go out to the family involved."

More than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected. A significant number of GP practices in London were unable to order blood tests for their patients.

The Health Service Journal (HSJ) reported there were nearly 600 "incidents" linked to the attack, with patient care suffering in 170 of these. One case was of "severe" harm, 14 led to "moderate" harm and the remaining were identified as "low harm", HSJ said.

According to NHS guidance, severe harm occurs when patients either suffer permanent harm; need life saving care or could have reduced their life expectancy, among a number of other factors.

Deryck Mitchelson, from cyber security firm Check Point, said the cyber attacks were more than just "disruption" as they caused "patient harm".

Mr Mitchelson, formerly director of National Digital and chief information security officer for NHS National Services Scotland, said IT systems were only ever as secure as the weakest link in the chain.

"The death now confirmed is tragic, but it is not surprising. When systems that underpin diagnostics and treatment are brought down at scale, the consequences are not hypothetical. This is the real-world cost," he said.

"This wasn't a faceless act. It wasn't just systems or data you targeted — it was care. It was people. One of them has now lost their life. That should weigh heavily."

Qilin, the Russia-based cyber-criminal group responsible for the attack, previously said it was "sorry" for all the harm caused but was "not to blame".

The ransomware gang spoke to the BBC in June 2024 on encrypted chat service qTox and attempted to justify the attack as a form of political protest.

Qilin claimed it carried out the cyber-attack as revenge for the UK government's actions in an undisclosed war.

Additional reporting by Chris Vallance, BBC Technology.

Listen to the best of BBC Radio London on Sounds and follow BBC London on Facebook, external, X, external and Instagram, external. Send your story ideas to hello.bbclondon@bbc.co.uk, external